Solved: Re: Need help with regex

ppanchal · ‎01-16-2019

index=...| search MESSAGE="CommonAsyncGETController.execute() : scope :S01234"| Table MESSAGE

Above is my string, I want to extract S01234 from MESSAGE="CommonAsyncGETController.execute() : scope :S01234" and have a new column called scope and output as below,

Scope
S01234

Please help.

vnravikumar · ‎01-16-2019

Hi @ppanchal

Please try

| makeresults |eval message="CommonAsyncGETController.execute() : scope :S01234"| rex field=message "scope\s:(?P<scope>.+)"

View solution in original post

vnravikumar · ‎01-16-2019

Hi @ppanchal

Please try

| makeresults |eval message="CommonAsyncGETController.execute() : scope :S01234"| rex field=message "scope\s:(?P<scope>.+)"

michael_schmidt · ‎01-16-2019

index=...| search MESSAGE="CommonAsyncGETController.execute() : scope :S01234"| rex field=MESSAGE "(?:.+scope\s\:)(?P<Scope>\S+)" | Table MESSAGE Scope

At least, assuming that your original search is correct, that should give you a whole new field at search time called Scope, and S01234 will be the value. That being said, your search isn't going to find anything where the scope field would have a different value other than S01234... But that's a different question...

michael_schmidt · ‎01-16-2019

It only took me like three edits to realize that I wasn't messing up my typing but that I needed to put the named capture group in a code box... Jeezz....

Need help with regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Join the Conversation