How to write the regex to extract the error code f...

swapnilkale · ‎07-22-2015

How can I find all the error codes from the logs and show it as interesting field?
e.g. Message : Information with Insured. (PL200XXX)
Here PLXXXXX is the error code within the parentheses. What regex or search criteria should I use to make this work? I am new to Splunk and exploring it.

Thanks a lot for your help.
Swap

edrivera3 · ‎07-22-2015

Try:
If the error code always starts with PL and there are other values between ( ) in your data.
.. | rex "\((?<err_code>PL\w+)\)"

Good Luck!

alacercogitatus · ‎07-22-2015

This one is pretty simple.

sourcetype=yoursourcetype | rex field=_raw "\((?<errorcode>[^)]+)\)"

This should give you the results you want in errorcode. This is a very quick regex - if you are going to make it "production ready", don't use rex, use the props/transforms to pull it automatically.

swapnilkale · ‎07-23-2015

Thanks a lot guys! I will surely try it today.

How to write the regex to extract the error code from my sample log?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

How to write the regex to extract the error code from my sample log?

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...