Splunk Search

RegEx for variable message field extraction

Path Finder

Hello, I have logs coming in that look like the following:

(Tab between columns)

server1.something.com ApacheLog 0 10.0.0.1

server2.something.com ApacheLog 0 10.0.0.2

server3.something.com GenericLog 0 0 0 0

server4.something.com GenericLog 0 0 0 0

Using the IPs to have splunk generate a pattern results in this regex:

(?i)^(?:[^\t]*\t){3}(?P<FIELDNAME>[^ ]+)

The IP will be in the same place every time ApacheLog is present... so basically I want my RegEx to be something like the following which doesn't work:

^*\tApacheLog\t*\t(?P<FIELDNAME>[^ ]+)

Any assistance would be appreciated.

Thanks,
John

Tags (3)
1 Solution

Splunk Employee
Splunk Employee

Hi John,

Try the following regex:

\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})

You can test that by using the rex command on your events and seeing if the field contains what you expect. For example:

|rex field=_raw "\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})"

View solution in original post

Splunk Employee
Splunk Employee

Hi John,

Try the following regex:

\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})

You can test that by using the rex command on your events and seeing if the field contains what you expect. For example:

|rex field=_raw "\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})"

View solution in original post

Path Finder

Perfect, thanks!

0 Karma

Splunk Employee
Splunk Employee

Using the interactive field extractor, the syntax its looking for will be slightly different. Try the following there:

.*\s+ApacheLog\s+\d\s+(?P<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})

Path Finder

This works in the search field however when I attempt to edit the pattern in "Extract Fields" I get a "Invalid regex: syntax error". Any thoughts there?

Thanks!

0 Karma