Re: Regex help to extract logname

iamsplunker · ‎01-04-2023

I'm trying to extract logname from the following.

So the logname value would be message.log/bblog.log/api.log

Please Note : When the timestamp date is between10-31 there is no extra space where when the timestamp date is single digit i.e.,(1-9 ) there is an extra space at the beginning of the event.

ex: <10>Jan<space><space>4 15:30:02

<10>Dec<space>31 15:30:02

Here are the sample events

<10>Jan 4 15:30:02 a2222xyabcd031.xyz.com app1001-cc-NONPROD 2023-01-04 15:30:02 message.log INFORMATION
apple:73 dev-banana_Guava-[Messaging.Security] [sys] [THE Outbound | outbound|] claimEligibility=false

<10>Jan 4 15:30:02 ia2222xyabcd031.xyz.com app1001-cc-NONPROD 2023-01-04 15:30:02 bblog.log INFORMATION
apple:73 dev-banana_Guava-[Messaging.Security] [sys] [THE Outbound | outbound|] claimEligibility=false

<10>Dec 31 15:30:04 a2222xyabcd031.xyz.com app1001-cc-NONPROD 2023-01-04 15:30:04 api.log INFORMATION
apple:73 dev-banana_Guava-[Messaging.Security] [sys] [THE Outbound | outbound|] claimEligibility=false

richgalloway · ‎01-04-2023

Try this regex. Change the values of "WARNING" and "ERROR" to match your data.

 (\S+) (?:INFORMATION|WARNING|ERROR)

Note the leading space.

---
If this reply helps you, Karma would be appreciated.

ITWhisperer · ‎01-04-2023

| rex "(?<logname>\S+)\s+INFORMATION"

iamsplunker · ‎01-04-2023

Thanks for your response.

Quick question what if we have different string after the LogName

For ex: ERROR or WARN

Can we use something like this ?

| rex "(?<logname>\S+)\s+INFORMATION|WARN|ERROR"

ITWhisperer · ‎01-04-2023

I would try putting the alternate values in brackets

| rex "(?<logname>\S+)\s+(INFORMATION|WARN|ERROR)"

Regex help to extract logname

field extraction

fields

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!