Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex to extract two strings from log and make as field

pingdpk
Engager
‎02-21-2017 04:08 AM

Log - (given 2 lines for example)

2017/02/21 03:46:12.119-0800 [http-bio-8480-exec-3] C3AF4B3F9C2E40D2006D1513C81191A6.pppxwbtect014 INFO  c.e.c.w.b.r.ShirtsSaleResource -  #xHoster#  #**res_ShirtServiceTosite**#  ShirtsSaleResource.getLossier  , URI ->  /{1856659}  , Time taken to get JSON -> **58** milliseconds

2017/02/21 03:46:08.489-0800 [http-bio-8480-exec-2] 82F757837394C2E950AEB9A47043DD61.pppxwbtect010 INFO  c.e.c.p.m.i.CmppRestClientImpl -  #xHoster#  #**res_CmppToShirtService**#  CmppRestClientImpl.prepareChange  , URI -> http://ppp-Shirteu.ch.expeso.com:52008/order/PrepareChange , Time taken to get XML response ->  **178** milliseconds

Expected output : 

Field1                            Field2
res_ShirtServiceToSite            58
res_CmppToShirtService            178

I tried : 

index=app source=/var/log* "#xHoster#" | rex field=_raw res_(?.*)# | rex field=_raw .\-\>\s(?.*)\smilliseconds |table ptype,ptime
0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎04-19-2017 05:58 PM

@pingdpk - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!

0 Karma
Reply

zanb
Path Finder
‎02-22-2017 02:03 PM

Here's my RegEx:

(?P<ptype>res_\w+).*\*\*(?P<ptime>\d+)
0 Karma
Reply

nikhilb0763
Engager
‎02-22-2017 11:49 AM

How about this:

rex field=_raw "(?res_[^*]+)" | rex field=_raw "\*(?\d+)"
0 Karma
Reply

rjthibod
Champion
‎02-21-2017 05:12 AM

How about this

index=app source=/var/log* "#xHoster#" 
| rex field=_raw  "#(?<ptype>res_[^#]+)#.+\-\>\s*(?<ptime>\d+)\s*milliseconds" 
| table ptype ptime
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎02-21-2017 05:45 AM

I came up with \*\*(?<ptype>res_[^\*]+)\*\*.*?\*\*(?<ptime>\d+)\*\*

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...