How to write the regex to extract the error code f...

swapnilkale · ‎07-22-2015

How can I find all the error codes from the logs and show it as interesting field?
e.g. Message : Information with Insured. (PL200XXX)
Here PLXXXXX is the error code within the parentheses. What regex or search criteria should I use to make this work? I am new to Splunk and exploring it.

Thanks a lot for your help.
Swap

edrivera3 · ‎07-22-2015

Try:
If the error code always starts with PL and there are other values between ( ) in your data.
.. | rex "\((?<err_code>PL\w+)\)"

Good Luck!

alacercogitatus · ‎07-22-2015

This one is pretty simple.

sourcetype=yoursourcetype | rex field=_raw "\((?<errorcode>[^)]+)\)"

This should give you the results you want in errorcode. This is a very quick regex - if you are going to make it "production ready", don't use rex, use the props/transforms to pull it automatically.

swapnilkale · ‎07-23-2015

Thanks a lot guys! I will surely try it today.

How to write the regex to extract the error code from my sample log?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation