Splunk Search

How to write the regex to extract semicolon delimited fields?

ismarslomic
Path Finder

I have the following log statement, which uses semicolon delimiter and where i want to extract columns as specific fields with use of Regex in IFX.

[1427894078] SERVICE ALERT: example.com ;Current Load;CRITICAL;SOFT;3;CRITICAL - load average: 1.96, 1.29, 0.59

However, I'm not so good at Regex so would need help to create 4 separate regular expressions (will be saved as 4 different fields) which returns following results:

  1. [1427894078] SERVICE ALERT: example.com
  2. Current Load
  3. CRITICAL;SOFT;3
  4. CRITICAL - load average: 1.96, 1.29, 0.59
0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee
^(?P<alert>.*?) ;
(?P<stuff>.*?);
(?P<more_stuff>\w+;\w+;\d+);
(?P<ending_stuff>.*)$

Here is a nice tool for trying it out yourself and testing.

https://regex101.com/r/kC3gH0/1

View solution in original post

romdece
New Member

The FIND (match) expression can be the following:

^(.*?);(.*?);(CRITICAL.*?);(CRITICAL.*)$

The REPLACE or EXTRACTION code the next one

$1\r\n$2\r\n\r\n$3\r\n$4\r\n

The \r\n standing for CR/LF.

In a PERL-transformation-routine \n would be sufficient.

More details are needed to make a real PERL-transformation-routine out of it.

You can contact me on romdeclercq at skynet dot be

Kind Regards,

Romain.

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee
^(?P<alert>.*?) ;
(?P<stuff>.*?);
(?P<more_stuff>\w+;\w+;\d+);
(?P<ending_stuff>.*)$

Here is a nice tool for trying it out yourself and testing.

https://regex101.com/r/kC3gH0/1

ismarslomic
Path Finder

Thanks, this works and solves my need!

0 Karma

masonmorales
Influencer

Try this:

| rex "^(?<field1>[^;]+);(?<field2>[^;]+);(?<field3>w+;\w+;\d);(?<field4>.+)"

Sorry, here's a fixed version (copy/paste it to the end of your search verbatem):

| rex "^(?<field1>[^;]+);(?<field2>[^;]+);(?<field3>[^;]+;[^;]+;[^;]+);(?<field4>.+)$"

Screenshot: http://tinypic.com/r/2vj8tvd/8

ismarslomic
Path Finder

When I copy/paste ^(?[^;]+);(?[^;]+);(?w+;\w+;\d);(?.+) in the input field "Regular expression pattern" I get error message

Invalid regex: syntax error

and

Regex does not extract any named fields.

0 Karma

masonmorales
Influencer

Did you include the quotation marks?

0 Karma

ismarslomic
Path Finder

No. Please see screenshot http://tinypic.com/r/35i2afs/8

0 Karma

masonmorales
Influencer

Edited original post. Retry please.

0 Karma

masonmorales
Influencer

Don't use the interactive field extraction. Just add-it onto your search.

0 Karma

masonmorales
Influencer

Please click "Accept Answer" if this worked

0 Karma

ismarslomic
Path Finder

I cant accept that comment as answer.. It seems like i need to move it to Reply, but I dont have access to do it

0 Karma

ismarslomic
Path Finder

Sorry, but it still doesnt work. However, reply from @aljohnson_splunk solved the problem. Thanks to both of you!

0 Karma

ismarslomic
Path Finder

No, still same error message.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...