Splunk Search

Need help with regex

ppanchal
Path Finder

index=...| search MESSAGE="CommonAsyncGETController.execute() : scope :S01234"| Table MESSAGE

Above is my string, I want to extract S01234 from MESSAGE="CommonAsyncGETController.execute() : scope :S01234" and have a new column called scope and output as below,

Scope
S01234

Please help.

Tags (2)
0 Karma
1 Solution

vnravikumar
Champion

Hi @ppanchal

Please try

| makeresults |eval message="CommonAsyncGETController.execute() : scope :S01234"| rex field=message "scope\s:(?P<scope>.+)"

View solution in original post

vnravikumar
Champion

Hi @ppanchal

Please try

| makeresults |eval message="CommonAsyncGETController.execute() : scope :S01234"| rex field=message "scope\s:(?P<scope>.+)"

michael_schmidt
Path Finder
index=...| search MESSAGE="CommonAsyncGETController.execute() : scope :S01234"| rex field=MESSAGE "(?:.+scope\s\:)(?P<Scope>\S+)" | Table MESSAGE Scope

At least, assuming that your original search is correct, that should give you a whole new field at search time called Scope, and S01234 will be the value. That being said, your search isn't going to find anything where the scope field would have a different value other than S01234... But that's a different question...

0 Karma

michael_schmidt
Path Finder

It only took me like three edits to realize that I wasn't messing up my typing but that I needed to put the named capture group in a code box... Jeezz....

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...