Splunk Search

REX - How can these two REX commands be merged?

Mick_OBrien
Path Finder

I have two REX strings that work independently...

^\S+\s(?<microService>\S+).*

[supplied by previous SPLUNK answer]

...and...

"(?i)^(?:[^\+]*\+){2}\d+\]\s+\"(?P<missingFileDetails>[^\"]+)"

[generated via erex]

 

How can these two REX commands be merged?

 

 

 

 

 

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rex "^\S+\s(?<microService>\S+).*?\"(?P<missingFileDetails>[^\"]+)\""

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| rex "^\S+\s(?<microService>\S+).*?\"(?P<missingFileDetails>[^\"]+)\""

gcusello
SplunkTrust
SplunkTrust

Hi @Mick_OBrien,

to answer to your question, you should share some sample of your logs!

Ciao.

Giuseppe

0 Karma

Mick_OBrien
Path Finder

Hi @gcusello 

As requested.  Used this URL/tool...

https://regex101.com/r/nE14zp/1

...to check these REX strings...

^\S+\s(?<microService>\S+).*

(?i)^(?:[^\+]*\+){2}\d+\]\s+\"(?P<missingFileDetails>[^\"]+)

...using this test string...

2022-08-16T04:00:13.231444+00:00 CBF.microService af312b94-8abc-49ed-af80-969a5b0044e4[[APP/PROC/WEB/2]] 139.59.241.107, 100.64.240.3 - - - [16/Aug/2022:04:00:13 +0000] "GET /git/notifyCommit?url=2DQDJjcLvzZRdjs6bf9k0KOtJCs&branches=2DQDJjcLvzZRdjs6bf9k0KOtJCs HTTP/1.1" 404 188

 

The individual commands work but I am unable to concatenate [to get a table of microservices and missing files].

 

Any help greatly appreciated

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Mick_OBrien,

as you can see in the regex101 you shared the double regex is working on the sample you used, but maybe there are some differences in other logs and for this reason the double regex doesn't work.

Anyway, please try this:

^\d+-\d+-\d+T\d+:\d+:\d+\.\d+\+\d+:\d+\s+(?<microservice>\w+).*MESSAGE\=(?<message>.+)

Ciao.

Giuseppe

0 Karma

Mick_OBrien
Path Finder

Hi @gcusello 

 

Sorry but I cannot get this to work - this rex string returned multiple pages of empty fields...

rex field=_raw ^\d+-\d+-\d+T\d+:\d+:\d+\.\d+\+\d+:\d+\s+(?<microservice>\w+).*MESSAGE\=(?<message>.+)

its not picking up the microservice NOR does the test string supplied contain text 'MESSAGE='

 

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...