Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to create rex command to extract field

Mrig342
Contributor
‎02-02-2021 08:18 AM

Hi,

We have below type of logs:

Log1-- 2021-02-02 10:12:49.889, APP_NAME="com.abcdef.abcdefghijkl", APP_TEMP_NAME="com.abcdef.abcdefghijkl", APP_TEMP_VER="1.0.11.20210120114351539", LASTDEPLOYED="2021-01-27 13:41:12.389", ENV_NAME="ABCEnvironment_AB"

Log2-- 2021-02-02 10:12:49.889, APP_NAME="com.abcdef.st.xyz", APP_TEMP_NAME="com.abcdef.st.xyz-1", APP_TEMP_VER="1.1.4", LASTDEPLOYED="2018-11-18 05:59:44.333", ENV_NAME="ABCEnvironment_CD"

From here I want to extract the below fields with separate rex commands for each.

APP_NAME, APP_TEMP_NAM, APP_TEMP_VER, LASTDEPLOYED, ENV_NAME

But I am unable to create the rex commands as expected.

Can someone please help me in creating the rex commands..?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2021 08:39 AM

 

| rex "APP_NAME=\\\"(?P<APP_NAME>[^\\\"]+)"
| rex "APP_TEMP_NAME=\\\"(?P<APP_TEMP_NAME>[^\\\"]+)"
| rex "APP_TEMP_VER=\\\"(?P<APP_TEMP_VER>[^\\\"]+)"
| rex "LASTDEPLOYED=\\\"(?P<LASTDEPLOYED>[^\\\"]+)"
| rex "ENV_NAME=\\\"(?P<ENV_NAME>[^\\\"]+)"

 

View solution in original post

Reply
Solved! Jump to solution

Mrig342
Contributor
‎02-02-2021 09:15 AM

Thank you richgalloway for your support.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎02-02-2021 08:39 AM

 

| rex "APP_NAME=\\\"(?P<APP_NAME>[^\\\"]+)"
| rex "APP_TEMP_NAME=\\\"(?P<APP_TEMP_NAME>[^\\\"]+)"
| rex "APP_TEMP_VER=\\\"(?P<APP_TEMP_VER>[^\\\"]+)"
| rex "LASTDEPLOYED=\\\"(?P<LASTDEPLOYED>[^\\\"]+)"
| rex "ENV_NAME=\\\"(?P<ENV_NAME>[^\\\"]+)"

 

Reply
Solved! Jump to solution

Mrig342
Contributor
‎02-02-2021 09:13 AM

Hi ITWhisperer,

Thank you very much for your support. The commands are working fine.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-02-2021 08:32 AM

What have you tried so far?  Have you used regex101.com to help construct regexes?

The general form of the regex is

 

{fieldName}=\"(?<{fieldName}[^\"]+)

 

where {fieldName} is a placeholder for the field you wish to extract.  When applied to the rex command it becomes, for example:

| rex "APP_NAME=\\\"(?<APP_NAME>[^\\\"]+)"

 The extra backslashes are for the multiple layers the regex passes through before it reaches Splunk's regex parser.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...