Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need rex to extract the parameter in field product_name

Hemant_h
Engager
‎02-04-2025 05:58 AM

Want to extract HIGCommercialAuto  and MLM-RS-H
only from below logs in field product name.

HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 MLM-RS-H higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16 MLM-R3-N higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16

 

 

Labels (1)
Labels
0 Karma
Reply

Hemant_h
Engager
‎02-05-2025 12:40 AM 
[ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16
[ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16
[ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16
[ERROR] 2025-02-05 08:08:33.464 [http-nio-8080-exec-12] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16
[ERROR] 2025-02-05 08:04:21.339 [http-nio-8080-exec-73] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/b75f6bcde90f4aceaf9edbbeb13c5e58
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-05-2025 01:38 AM

Why not start with your actual events? OK, assuming these now represent your events, try something like this instead

| rex "The following products did not have mappings from PC: (?<product>\S+)"
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-04-2025 06:50 AM

Hi @Hemant_h ,

if the structure of your events is fixed, you coult try something like this:

| rex field=product_name "^(?<field1>\w+)\s[^\s]+\s[^\s]+\s[^\s]+\s[^\s]+\s(?<field2>[^ ]+)"

 Ciao.

Giuseppe

0 Karma
Reply

Hemant_h
Engager
‎02-05-2025 12:28 AM

HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16

MLM-RS-H higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16

MLM-R3-N higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16

These are basically 3 different logs and the highlighted one needs to extarcted in filed product_name

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-05-2025 12:34 AM

It looks like you want the first set of non-space characters, so try something like this

| rex "^(?<product>\S+)"
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-04-2025 06:16 AM

Are these separate events?

Do you already have any fields extracted?

Please share your raw event data in code blocks using the </> button above to preserve formatting in the event.

0 Karma
Reply

Hemant_h
Engager
‎02-05-2025 12:43 AM 
[ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16
[ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16
[ERROR] 2025-02-05 08:24:33.165 [http-nio-8080-exec-10] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16
[ERROR] 2025-02-05 08:08:33.464 [http-nio-8080-exec-12] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/17eea8553cb8434bb4c126047817da16
[ERROR] 2025-02-05 08:04:21.339 [http-nio-8080-exec-73] com.thehartford.bi.mm.clearanceapp.services.policysummary.impl.HFPProduct - The following products did not have mappings from PC: HIGCommercialAuto higawsaccountid: 463251740121 higawslogstream: app-5091-prod-1-ue1-EctAPI/EctAPI/b75f6bcde90f4aceaf9edbbeb13c5e58

These are the logs and i want to extract string for example   HIGCommercialAuto  just before the higawsaccountid string 

 

 

0 Karma
Reply

kiran_panchavat
Champion
‎02-05-2025 12:55 AM

@Hemant_h 

To extract only HIGCommercialAuto from the logs in Splunk, use the following Splunk query

kiran_panchavat_0-1738745729260.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

Hemant_h
Engager
‎02-05-2025 01:09 AM

Hemant_h_0-1738746468417.png

Did not  work , it capture the whole string 

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...