Solved: Re: Need help with regex

ppanchal · ‎01-16-2019

index=...| search MESSAGE="CommonAsyncGETController.execute() : scope :S01234"| Table MESSAGE

Above is my string, I want to extract S01234 from MESSAGE="CommonAsyncGETController.execute() : scope :S01234" and have a new column called scope and output as below,

Scope
S01234

Please help.

vnravikumar · ‎01-16-2019

Hi @ppanchal

Please try

| makeresults |eval message="CommonAsyncGETController.execute() : scope :S01234"| rex field=message "scope\s:(?P<scope>.+)"

View solution in original post

vnravikumar · ‎01-16-2019

Hi @ppanchal

Please try

| makeresults |eval message="CommonAsyncGETController.execute() : scope :S01234"| rex field=message "scope\s:(?P<scope>.+)"

michael_schmidt · ‎01-16-2019

index=...| search MESSAGE="CommonAsyncGETController.execute() : scope :S01234"| rex field=MESSAGE "(?:.+scope\s\:)(?P<Scope>\S+)" | Table MESSAGE Scope

At least, assuming that your original search is correct, that should give you a whole new field at search time called Scope, and S01234 will be the value. That being said, your search isn't going to find anything where the scope field would have a different value other than S01234... But that's a different question...

michael_schmidt · ‎01-16-2019

It only took me like three edits to realize that I wasn't messing up my typing but that I needed to put the named capture group in a code box... Jeezz....

Need help with regex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!