Splunk Search
Highlighted

RegEx - When find a match get full line.

Communicator

So when I get an error with the message "(Failed)" i want the line to be added to an extracted field as a value.

9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed)

Any idea how to do the regular expression for this.

0 Karma
Highlighted

Re: RegEx - When find a match get full line.

SplunkTrust
SplunkTrust

Try this.

(?<field>.*(?=\(Failed\)))
---
If this reply helps you, an upvote would be appreciated.
Highlighted

Re: RegEx - When find a match get full line.

Communicator

I'm using this in field extractor. It appears to select the full event not just the line.
Thanks for your effort.

0 Karma
Highlighted

Re: RegEx - When find a match get full line.

SplunkTrust
SplunkTrust

Please explain what you mean by "line". If you can, please share a full "event" with the "line" you wish to extract.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: RegEx - When find a match get full line.

Communicator

It's a multi line event so from our logs so it would be like this.

  1. sdfiosdfjgiojsdf
  2. dfosdogijsdfiojsdfg (Failed)
  3. oisdjfgo[idjsfgoiiojsdfg

Extracted value = " 2. dfosdogijsdfiojsdfg (Failed)"

0 Karma
Highlighted

Re: RegEx - When find a match get full line.

SplunkTrust
SplunkTrust

Try this.

(?<field>\n.*(?=\(Failed\)))
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: RegEx - When find a match get full line.

Communicator

It returns a tick on the extracted field so think it's picking up the (Failed) bit. But the value is still blank. Sorry 😞

0 Karma
Highlighted

Re: RegEx - When find a match get full line.

SplunkTrust
SplunkTrust

Hi,

I'm not 100% what you mean.
See if the following code helps:

| makeresults | fields - _time
| eval event = "9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed)"
| rex field=event "(?<error_line>.+\(Failed\)$)"

It will basically extract the code into a new field named error_line if the event contains the string (Failed). Case sensitive in this case.

Alternatively you could simply do the following:

| makeresults | fields - _time
| eval event = "9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed)"
| eval error_line = if(match(event, ".+\(Failed\)$"), event, null())

If you don't need the bit that says (Failed):

| makeresults | fields - _time
| eval event = "9:0 : Item HAG123312 HH4A 400.0GB 512B/sect (Failed)"
| rex field=event "(?<error_line>.+?)\s+\(Failed\)$"

If multiline event use the following regex instead:

| rex field=event "(?m)(?<error_line>.+?\s+\(Failed\)$)"

Regards,
J

0 Karma
Highlighted

Re: RegEx - When find a match get full line.

SplunkTrust
SplunkTrust

If multiline event simply do the following instead:

| rex field=event "(?m)(?<error_line>.+?\s+\(Failed\)$)"
0 Karma
Highlighted

Re: RegEx - When find a match get full line.

Communicator

No that has put all lines into 1 event. I only need the line the error is on.

  1. afiojsdfiohsdfsdjsdfgiojsdfgoijsdfg 2. ohsdfouhsdfguohsdfg (Failed)
  2. osdfhgiosdhfgohisdfgiohjasdfgi

So just the line in bold above

0 Karma