Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

RegEx How to find two strings from splunk log

dabroma5
Explorer
‎04-01-2020 07:15 AM

I have below log:

Service ABCD(blabla_blabla): 365.45.1.87.3.60354 -> remote.234.5 Failure
Service DERF(blabla_blabla): remote.567.9 -> remote.284.9 Failure

and would like to catch with RegEx:

a: 365.45.1.87.3.60354 b: remote.234.5

a: remote.567.9 b: remote.284.9

Thanks for help

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-01-2020 07:21 AM

Hi @dabroma5
try this regex:

| rex ":\s+(?<a>[^ ]+)\s+-\>\s+(?<b>[^ ]+)"

that you can test at https://regex101.com/r/fOwXfs/1

if eventually you have some false positive, you could also try:

| rex ":\s+(?<a>[^ ]+)\s+-\>\s+(?<b>[^ ]+)\s+Failure"

that you can test at https://regex101.com/r/fOwXfs/2

Ciao.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-01-2020 07:21 AM

Hi @dabroma5
try this regex:

| rex ":\s+(?<a>[^ ]+)\s+-\>\s+(?<b>[^ ]+)"

that you can test at https://regex101.com/r/fOwXfs/1

if eventually you have some false positive, you could also try:

| rex ":\s+(?<a>[^ ]+)\s+-\>\s+(?<b>[^ ]+)\s+Failure"

that you can test at https://regex101.com/r/fOwXfs/2

Ciao.
Giuseppe

Reply
Solved! Jump to solution

efavreau
Motivator
‎04-01-2020 07:52 AM

@gcusello your response was crazy fast! Awesome!

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-01-2020 07:58 AM

Hi @dabroma5
you're welcome!
Ciao and next time.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎04-01-2020 07:20 AM

Hi

Check this

| makeresults 
| eval log="Service ABCD(blabla_blabla): 365.45.1.87.3.60354 -> remote.234.5 Failure#Service DERF(blabla_blabla): remote.567.9 -> remote.284.9 Failure" 
| eval temp=split(log,"#") 
| mvexpand temp 
| rex field=temp "\:\s+(?P<a>[^->]+)\s+->\s+(?P<b>\S+)" 
| table a b
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...