Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Multiple regex in a field extraction

byu168
Path Finder
‎05-25-2017 11:31 AM

Hi,

What I mean is that I want to parse all the error messages in my logs into one field called Errors but the regular expressions are different.

Examples:
Error: exceed max iterations, iter 120, count_trial 120
ERROR setup_acap_venv.sh failed.
ERROR [ac_analysis.tools.merge_annotations:327]

They don't quite all match up so one field extraction won't encompass all of them. Is there a way to have multiple regex that go into one field? Or is there a way to handle this when indexing the data instead of creating a field extraction?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎05-25-2017 11:46 AM

Yes, you can definitely have multiple field extractions in to the same field.

props.conf

[<sourcetype>]
REPORT-yourfield = yourfield1,yourfield2,yourfield3

transforms.conf

[yourfield1]
REGEX = (?<yourfield>blahblahblah)

[yourfield2]
REGEX = (?<yourfield>moreblahmoreblah)

[yourfield3]
REGEX = (?<yourfield>evenmoreblah)

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-25-2017 12:08 PM

Yes, you can do this in the CLI by piping to a series of regex commands back-to-back with the same capture name. The last successful one will win but none of the unsuccessful ones will damage a previously successful field value creation.

0 Karma
Reply
Solved! Jump to solution

jwalbert
New Member
‎05-25-2017 12:06 PM

One field extract should work, especially if your logs all lead with 'error' string prefix. Simple extraction based on your sample events:

(?i)error[\s:]+(?.*) OR (?i)error[^\w]+(?.*(?\]|\.))

The first one being the more simple/straightforward of the two, with the latter aiming to clean up the extracted data if you are so inclined.

perl -ne 'print $1.$/ if /error[^\w]+(.*(?<!\]|\.))/i' re_sample
exceed max iterations, iter 120, count_trial 120
setup_acap_venv.sh failed

ac_analysis.tools.merge_annotations:327

Joe

0 Karma
Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎05-25-2017 11:46 AM

Yes, you can definitely have multiple field extractions in to the same field.

props.conf

[<sourcetype>]
REPORT-yourfield = yourfield1,yourfield2,yourfield3

transforms.conf

[yourfield1]
REGEX = (?<yourfield>blahblahblah)

[yourfield2]
REGEX = (?<yourfield>moreblahmoreblah)

[yourfield3]
REGEX = (?<yourfield>evenmoreblah)
Reply
Solved! Jump to solution

byu168
Path Finder
‎05-25-2017 02:33 PM

Thanks! Worked perfectly

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...