Splunk Search

Multiple values field extraction with colon delimiter

kumar497
Path Finder

Hi all,
i have been trying to extract error code which is alphanumeric and is delimited as per below but not able to extract with the rex due to the unstructured fields, will there be any way to extract this fields to do a timechart on the error codes.any help pls

sample piece of log
error=30578910//=404.EBS.SYSTEM.101:6NAHKFZA//=404.IMS.SERVERIN.103:2GSO0LPT//=404.IES.SERVER.105:5X3HSH18M//=404.IES.SERVEROUT.105,missingFulfillmentItems

required output 

404.EBS.SYSTEM.101

404.IMS.SERVERIN.103

404.IES.SERVER.105

404.IES.SERVEROUT.105

Labels (2)
0 Karma
1 Solution

kumar497
Path Finder
0 Karma

peter_krammer
Communicator
| rex max_match=1000 "(?://=(?[^:,]+))"
| table _time, error_code

Output:

_timeerror_code
2021-03-17 14:23:41
404.EBS.SYSTEM.101
404.IMS.SERVERIN.103
404.IES.SERVER.105
404.IES.SERVEROUT.105
0 Karma

kumar497
Path Finder

thanks @peter_krammer  for the response, but when appending to the search giving an error and also tried in the regex101.com which seems having an issue with grouping the structure,sorry if i missed anything

Error in 'rex' command: Encountered the following error while compiling the regex '(?://=(?[^:,]+))': Regex: unrecognized character after (? or (?-.

Tags (1)
0 Karma

Vardhan
Contributor

Hi ,

use the below regex.

| rex "=(?<error_code>\d{3}.\w+.\w+.\d{3})"  max_match=10

0 Karma

kumar497
Path Finder

Thanks @Vardhan  it helps

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...