How to write the regex to extract the error code f...

swapnilkale · ‎07-22-2015

How can I find all the error codes from the logs and show it as interesting field?
e.g. Message : Information with Insured. (PL200XXX)
Here PLXXXXX is the error code within the parentheses. What regex or search criteria should I use to make this work? I am new to Splunk and exploring it.

Thanks a lot for your help.
Swap

edrivera3 · ‎07-22-2015

Try:
If the error code always starts with PL and there are other values between ( ) in your data.
.. | rex "\((?<err_code>PL\w+)\)"

Good Luck!

alacercogitatus · ‎07-22-2015

This one is pretty simple.

sourcetype=yoursourcetype | rex field=_raw "\((?<errorcode>[^)]+)\)"

This should give you the results you want in errorcode. This is a very quick regex - if you are going to make it "production ready", don't use rex, use the props/transforms to pull it automatically.

swapnilkale · ‎07-23-2015

Thanks a lot guys! I will surely try it today.

How to write the regex to extract the error code from my sample log?

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?

How to write the regex to extract the error code from my sample log?

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?