Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex three lines with same format to create three field extractions

Bliide
Path Finder
‎06-26-2014 08:29 AM

I am trying to pull specific lines from a log file. I have a format that is repeated and I have a regex that is pulling the info from those lines. My problem is that there are 3 lines that have the same format. I need a way to pull each line separately. The REGEX I am using for the field extraction looks like this:

(?i)^(?:[^:]*:){3}(?P[log_error].+)

The regex works but it is pulling lines that have LOG ERROR, LOG INFO and LOG EXCEPTION. The logs look like this:

LOG ERROR:6/6/2014 3:37 PM:

LOG INFO:6/6/2014 3:37 PM:

LOG EXCEPTION:6/6/2014 3:37 PM:

I have tried putting text into the REGEX for each line but I must be inputting something incorrectly. My goal is to create three field extractions (logerror, loginfo and logexcept). I know I just need to add a simple text match to the REGEX but I cannot figure out what I am doing wrong.

0 Karma
Reply

landen99
Motivator
‎06-17-2015 02:34 PM

I recommend:

(?i)^LOG\s*(?P<log_info>[^:]*):(?P<log_date>[^:]*)

as an automatic field extraction if the events are separated. Otherwise you need to fix the indexing so that the events are separated.

0 Karma
Reply

somesoni2
Revered Legend
‎06-26-2014 09:01 AM

Give this a try

Your base search | rex "(?i)^LOG (INFO(?:[^:]*:){3}(?P<loginfo>.+)|ERROR(?:[^:]*:){3}(?P<logerror>.+)|EXCEPTION(?:[^:]*:){3}(?P<logexcept>.+))"
0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...