Solved: Re: Multiple values field extraction with colon de...

kumar497 · ‎03-17-2021

Hi all,
i have been trying to extract error code which is alphanumeric and is delimited as per below but not able to extract with the rex due to the unstructured fields, will there be any way to extract this fields to do a timechart on the error codes.any help pls

sample piece of log
error=30578910//=404.EBS.SYSTEM.101:6NAHKFZA//=404.IMS.SERVERIN.103:2GSO0LPT//=404.IES.SERVER.105:5X3HSH18M//=404.IES.SERVEROUT.105,missingFulfillmentItems

required output

404.EBS.SYSTEM.101

404.IMS.SERVERIN.103

404.IES.SERVER.105

404.IES.SERVEROUT.105

kumar497 · ‎03-17-2021

Thanks @Vardhan it helps

View solution in original post

peter_krammer · ‎03-17-2021

| rex max_match=1000 "(?://=(?[^:,]+))"
| table _time, error_code

Output:

_time	error_code
2021-03-17 14:23:41	404.EBS.SYSTEM.101 404.IMS.SERVERIN.103 404.IES.SERVER.105 404.IES.SERVEROUT.105

kumar497 · ‎03-17-2021

thanks @peter_krammer for the response, but when appending to the search giving an error and also tried in the regex101.com which seems having an issue with grouping the structure,sorry if i missed anything

Error in 'rex' command: Encountered the following error while compiling the regex '(?://=(?[^:,]+))': Regex: unrecognized character after (? or (?-.

Vardhan · ‎03-17-2021

Hi ,

use the below regex.

| rex "=(?<error_code>\d{3}.\w+.\w+.\d{3})" max_match=10

kumar497 · ‎03-17-2021

Thanks @Vardhan it helps

Multiple values field extraction with colon delimiter

fields

rex

Can’t make it to .conf25? Join us online!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

Calling All Security Pros: Ready to Race Through Boston?

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Are you a member of the Splunk Community?