Re: REX command for the logline

nivethainspire_ · ‎02-15-2017

I need to write a rex command for the below log, Please help me out.

log:
xxx,xxx, D_Name="sag01 "TCC - QA - ORAA cvo0011 (CLCDTQ)"" , xxx

In the above log , i need to write a rex command to extract 3 type of values in single field as below
D_Name
sag01
cvo0011
CLCDTQ

hunters_splunk · ‎02-15-2017

Hi nivethainspire_07,

Based on the sample log line you provided, please try the following query:

 ... | rex field=_raw "="(?<field1>.*)\s".*\s(?<field2>.*)\s\((?<field3>.*)\)"""

If it does not work for your other log lines, please provide more log data so that others can gain a more complete understanding of your log format.

Hope it helps. Thanks!
Hunter

jkat54 · ‎02-15-2017

If the log always contains D_Name="value" then splunk will auto-extract this field at search time when using verbose mode.

martin_mueller · ‎02-15-2017

Smart > Verbose 😛

martin_mueller · ‎02-15-2017

You'll need to know more about the format of that line, find out what rules govern what value is where.

I could write a regular expression that works for this one example, but it's unlikely to work for all your data without that format knowledge.

REX command for the logline