Solved: RegEx for variable message field extraction

johnebgood · ‎10-26-2012

Hello, I have logs coming in that look like the following:

(Tab between columns)

server1.something.com ApacheLog 0 10.0.0.1

server2.something.com ApacheLog 0 10.0.0.2

server3.something.com GenericLog 0 0 0 0

server4.something.com GenericLog 0 0 0 0

Using the IPs to have splunk generate a pattern results in this regex:

(?i)^(?:[^\t]*\t){3}(?P<FIELDNAME>[^ ]+)

The IP will be in the same place every time ApacheLog is present... so basically I want my RegEx to be something like the following which doesn't work:

^*\t*ApacheLog*\t*\t(?P<FIELDNAME>[^ ]+)

Any assistance would be appreciated.

Thanks,
John

Rob · ‎10-26-2012

Hi John,

Try the following regex:

\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})

You can test that by using the rex command on your events and seeing if the field contains what you expect. For example:

|rex field=_raw "\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})"

View solution in original post

Rob · ‎10-26-2012

Hi John,

Try the following regex:

\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})

You can test that by using the rex command on your events and seeing if the field contains what you expect. For example:

|rex field=_raw "\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})"

johnebgood · ‎10-26-2012

Perfect, thanks!

Rob · ‎10-26-2012

Using the interactive field extractor, the syntax its looking for will be slightly different. Try the following there:

.*\s+ApacheLog\s+\d\s+(?P<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})

johnebgood · ‎10-26-2012

This works in the search field however when I attempt to edit the pattern in "Extract Fields" I get a "Invalid regex: syntax error". Any thoughts there?

Thanks!

RegEx for variable message field extraction

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor