Regex three lines with same format to create three...

Bliide · ‎06-26-2014

I am trying to pull specific lines from a log file. I have a format that is repeated and I have a regex that is pulling the info from those lines. My problem is that there are 3 lines that have the same format. I need a way to pull each line separately. The REGEX I am using for the field extraction looks like this:

(?i)^(?:[^:]*:){3}(?P[log_error].+)

The regex works but it is pulling lines that have LOG ERROR, LOG INFO and LOG EXCEPTION. The logs look like this:

LOG ERROR:6/6/2014 3:37 PM:

LOG INFO:6/6/2014 3:37 PM:

LOG EXCEPTION:6/6/2014 3:37 PM:

I have tried putting text into the REGEX for each line but I must be inputting something incorrectly. My goal is to create three field extractions (logerror, loginfo and logexcept). I know I just need to add a simple text match to the REGEX but I cannot figure out what I am doing wrong.

landen99 · ‎06-17-2015

I recommend:

(?i)^LOG\s*(?P<log_info>[^:]*):(?P<log_date>[^:]*)

as an automatic field extraction if the events are separated. Otherwise you need to fix the indexing so that the events are separated.

somesoni2 · ‎06-26-2014

Give this a try

Your base search | rex "(?i)^LOG (INFO(?:[^:]*:){3}(?P<loginfo>.+)|ERROR(?:[^:]*:){3}(?P<logerror>.+)|EXCEPTION(?:[^:]*:){3}(?P<logexcept>.+))"

Regex three lines with same format to create three field extractions

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?

Regex three lines with same format to create three field extractions

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor