I have the following log statement, which uses semicolon delimiter and where i want to extract columns as specific fields with use of Regex in IFX.
[1427894078] SERVICE ALERT: example.com ;Current Load;CRITICAL;SOFT;3;CRITICAL - load average: 1.96, 1.29, 0.59
However, I'm not so good at Regex so would need help to create 4 separate regular expressions (will be saved as 4 different fields) which returns following results:
[1427894078] SERVICE ALERT: example.com
Current Load
CRITICAL;SOFT;3
CRITICAL - load average: 1.96, 1.29, 0.59
^(?P<alert>.*?) ;
(?P<stuff>.*?);
(?P<more_stuff>\w+;\w+;\d+);
(?P<ending_stuff>.*)$
Here is a nice tool for trying it out yourself and testing.
The FIND (match) expression can be the following:
^(.*?);(.*?);(CRITICAL.*?);(CRITICAL.*)$
The REPLACE or EXTRACTION code the next one
$1\r\n$2\r\n\r\n$3\r\n$4\r\n
The \r\n
standing for CR/LF
.
In a PERL-transformation-routine \n
would be sufficient.
More details are needed to make a real PERL-transformation-routine out of it.
You can contact me on romdeclercq at skynet dot be
Kind Regards,
Romain.
^(?P<alert>.*?) ;
(?P<stuff>.*?);
(?P<more_stuff>\w+;\w+;\d+);
(?P<ending_stuff>.*)$
Here is a nice tool for trying it out yourself and testing.
Thanks, this works and solves my need!
Try this:
| rex "^(?<field1>[^;]+);(?<field2>[^;]+);(?<field3>w+;\w+;\d);(?<field4>.+)"
Sorry, here's a fixed version (copy/paste it to the end of your search verbatem):
| rex "^(?<field1>[^;]+);(?<field2>[^;]+);(?<field3>[^;]+;[^;]+;[^;]+);(?<field4>.+)$"
Screenshot: http://tinypic.com/r/2vj8tvd/8
When I copy/paste ^(?[^;]+);(?[^;]+);(?w+;\w+;\d);(?.+)
in the input field "Regular expression pattern" I get error message
Invalid regex: syntax error
and
Regex does not extract any named fields.
Did you include the quotation marks?
No. Please see screenshot http://tinypic.com/r/35i2afs/8
Edited original post. Retry please.
Don't use the interactive field extraction. Just add-it onto your search.
Please click "Accept Answer" if this worked
I cant accept that comment as answer.. It seems like i need to move it to Reply, but I dont have access to do it
Sorry, but it still doesnt work. However, reply from @aljohnson_splunk solved the problem. Thanks to both of you!
No, still same error message.