Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to create rex command to extract field

Mrig342
Contributor
‎02-02-2021 08:18 AM

Hi,

We have below type of logs:

Log1-- 2021-02-02 10:12:49.889, APP_NAME="com.abcdef.abcdefghijkl", APP_TEMP_NAME="com.abcdef.abcdefghijkl", APP_TEMP_VER="1.0.11.20210120114351539", LASTDEPLOYED="2021-01-27 13:41:12.389", ENV_NAME="ABCEnvironment_AB"

Log2-- 2021-02-02 10:12:49.889, APP_NAME="com.abcdef.st.xyz", APP_TEMP_NAME="com.abcdef.st.xyz-1", APP_TEMP_VER="1.1.4", LASTDEPLOYED="2018-11-18 05:59:44.333", ENV_NAME="ABCEnvironment_CD"

From here I want to extract the below fields with separate rex commands for each.

APP_NAME, APP_TEMP_NAM, APP_TEMP_VER, LASTDEPLOYED, ENV_NAME

But I am unable to create the rex commands as expected.

Can someone please help me in creating the rex commands..?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2021 08:39 AM

 

| rex "APP_NAME=\\\"(?P<APP_NAME>[^\\\"]+)"
| rex "APP_TEMP_NAME=\\\"(?P<APP_TEMP_NAME>[^\\\"]+)"
| rex "APP_TEMP_VER=\\\"(?P<APP_TEMP_VER>[^\\\"]+)"
| rex "LASTDEPLOYED=\\\"(?P<LASTDEPLOYED>[^\\\"]+)"
| rex "ENV_NAME=\\\"(?P<ENV_NAME>[^\\\"]+)"

 

View solution in original post

Reply
Solved! Jump to solution

Mrig342
Contributor
‎02-02-2021 09:15 AM

Thank you richgalloway for your support.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2021 08:39 AM

 

| rex "APP_NAME=\\\"(?P<APP_NAME>[^\\\"]+)"
| rex "APP_TEMP_NAME=\\\"(?P<APP_TEMP_NAME>[^\\\"]+)"
| rex "APP_TEMP_VER=\\\"(?P<APP_TEMP_VER>[^\\\"]+)"
| rex "LASTDEPLOYED=\\\"(?P<LASTDEPLOYED>[^\\\"]+)"
| rex "ENV_NAME=\\\"(?P<ENV_NAME>[^\\\"]+)"

 

Reply
Solved! Jump to solution

Mrig342
Contributor
‎02-02-2021 09:13 AM

Hi ITWhisperer,

Thank you very much for your support. The commands are working fine.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-02-2021 08:32 AM

What have you tried so far?  Have you used regex101.com to help construct regexes?

The general form of the regex is

 

{fieldName}=\"(?<{fieldName}[^\"]+)

 

where {fieldName} is a placeholder for the field you wish to extract.  When applied to the rex command it becomes, for example:

| rex "APP_NAME=\\\"(?<APP_NAME>[^\\\"]+)"

 The extra backslashes are for the multiple layers the regex passes through before it reaches Splunk's regex parser.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...