Solved: Regex to extract whole line from raw data

nm8181 · ‎05-25-2021

Hello,

I am trying to extract the full line from the raw data log matching a pattern in the line. Sample data:

blah blah

24 packages updated on 5th may 2021 3:00 pm

blah blah

I am able to use a regex to extract everything after a pattern lets say "packages updated" using the below regex, but I am not able to extract the full line including the number (24 in this case) in the beginning of the line.

base search

| rex field=_raw "(?m)packages updated\s(?<pkg_count>.*)"

With this above regex, I get a new field named pkg_count with value of = on 5th may 2021 3:00 pm

But I'd like to get a field with the full line "24 packages updated on 5th may 2021 3:00 pm"

Thanks!

richgalloway · ‎05-25-2021

You're close. Try this command

| rex field=_raw "(?<pkg_count>\d+)\s+packages updated\s(?<pkg_date>.*)"

The (?m) flag is not needed.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

nm8181 · ‎05-26-2021

Perfect. Thank you!

richgalloway · ‎05-25-2021

You're close. Try this command

| rex field=_raw "(?<pkg_count>\d+)\s+packages updated\s(?<pkg_date>.*)"

The (?m) flag is not needed.

---
If this reply helps you, Karma would be appreciated.

Regex to extract whole line from raw data

field extraction

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life