Solved: Multiple values field extraction with colon delimi...

kumar497 · ‎03-17-2021

Hi all,
i have been trying to extract error code which is alphanumeric and is delimited as per below but not able to extract with the rex due to the unstructured fields, will there be any way to extract this fields to do a timechart on the error codes.any help pls

sample piece of log
error=30578910//=404.EBS.SYSTEM.101:6NAHKFZA//=404.IMS.SERVERIN.103:2GSO0LPT//=404.IES.SERVER.105:5X3HSH18M//=404.IES.SERVEROUT.105,missingFulfillmentItems

required output

404.EBS.SYSTEM.101

404.IMS.SERVERIN.103

404.IES.SERVER.105

404.IES.SERVEROUT.105

kumar497 · ‎03-17-2021

Thanks @Vardhan it helps

View solution in original post

peter_krammer · ‎03-17-2021

| rex max_match=1000 "(?://=(?[^:,]+))"
| table _time, error_code

Output:

_time	error_code
2021-03-17 14:23:41	404.EBS.SYSTEM.101 404.IMS.SERVERIN.103 404.IES.SERVER.105 404.IES.SERVEROUT.105

kumar497 · ‎03-17-2021

thanks @peter_krammer for the response, but when appending to the search giving an error and also tried in the regex101.com which seems having an issue with grouping the structure,sorry if i missed anything

Error in 'rex' command: Encountered the following error while compiling the regex '(?://=(?[^:,]+))': Regex: unrecognized character after (? or (?-.

Vardhan · ‎03-17-2021

Hi ,

use the below regex.

| rex "=(?<error_code>\d{3}.\w+.\w+.\d{3})" max_match=10

kumar497 · ‎03-17-2021

Thanks @Vardhan it helps

Multiple values field extraction with colon delimiter

fields

rex

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout