Splunk Search

Regex to extract two strings from log and make as field

pingdpk
Engager

Log - (given 2 lines for example)

2017/02/21 03:46:12.119-0800 [http-bio-8480-exec-3] C3AF4B3F9C2E40D2006D1513C81191A6.pppxwbtect014 INFO  c.e.c.w.b.r.ShirtsSaleResource -  #xHoster#  #**res_ShirtServiceTosite**#  ShirtsSaleResource.getLossier  , URI ->  /{1856659}  , Time taken to get JSON -> **58** milliseconds

2017/02/21 03:46:08.489-0800 [http-bio-8480-exec-2] 82F757837394C2E950AEB9A47043DD61.pppxwbtect010 INFO  c.e.c.p.m.i.CmppRestClientImpl -  #xHoster#  #**res_CmppToShirtService**#  CmppRestClientImpl.prepareChange  , URI -> http://ppp-Shirteu.ch.expeso.com:52008/order/PrepareChange , Time taken to get XML response ->  **178** milliseconds

Expected output :

Field1                            Field2
res_ShirtServiceToSite            58
res_CmppToShirtService            178

I tried :

index=app source=/var/log* "#xHoster#" | rex field=_raw res_(?.*)# | rex field=_raw .\-\>\s(?.*)\smilliseconds |table ptype,ptime
0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@pingdpk - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!

0 Karma

zanb
Path Finder

Here's my RegEx:

(?P<ptype>res_\w+).*\*\*(?P<ptime>\d+)
0 Karma

nikhilb0763
Engager

How about this:

rex field=_raw "(?res_[^*]+)" | rex field=_raw "\*(?\d+)"
0 Karma

rjthibod
Champion

How about this

index=app source=/var/log* "#xHoster#" 
| rex field=_raw  "#(?<ptype>res_[^#]+)#.+\-\>\s*(?<ptime>\d+)\s*milliseconds" 
| table ptype ptime
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

I came up with \*\*(?<ptype>res_[^\*]+)\*\*.*?\*\*(?<ptime>\d+)\*\*

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...