Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex with eval ?

officialsubho
New Member
‎05-17-2019 12:28 PM

I have this following string

2019-05-17 11:30:14.262 INFO 13 --- [pool-3-thread-1] com.abcd.efgh.ijk.statuspage.StatusPage : Application[id=00, name='XYZ Service', environment='Production', status='DOWN'

i just need to extract value against the name keyword and use it as a field to run stats against it .
How can i extract the value ? Can someone plz help with the SPL ?

justgettingstarted

Tags (1)
0 Karma
Reply

Vijeta
Influencer
‎05-21-2019 12:48 PM

@officialsubho you can use this rex command 

 rex field=_raw "name=\'(?<name>[^\']+)\'"
0 Karma
Reply

koshyk
Super Champion
‎05-17-2019 01:36 PM

I would have thought, Splunk automatically extracts it?

Anyway, Please find the regex

|makeresults
| eval myraw="2019-05-17 11:30:14.262 INFO 13 --- [pool-3-thread-1] com.abcd.efgh.ijk.statuspage.StatusPage : Application[id=00, name='XYZ Service', environment='Production', status='DOWN'"
| rex field=myraw "name=\'(?<name>[^\']+)\'"
| fields name

In regex101 => https://regex101.com/r/yWXFJ7/1

0 Karma
Reply

officialsubho
New Member
‎05-21-2019 12:27 PM

Thanks @koshyk , but i am not looking for the regex .
i Just need store the name='XYZ Service' in a separate field , so that i can run counts against it .

i am trying to figure out how many times a particular XYZ service showed down status on the logs .
let me know if that makes sense .

0 Karma
Reply

koshyk
Super Champion
‎05-21-2019 01:38 PM

so you want the whole of name='XYZ Service' to be in a separate field?

In the above regex, you will get the field name as "name", but you can change it to whatever it suits you. 

|makeresults
 | eval myraw="2019-05-17 11:30:14.262 INFO 13 --- [pool-3-thread-1] com.abcd.efgh.ijk.statuspage.StatusPage : Application[id=00, name='XYZ Service', environment='Production', status='DOWN'"
 | rex field=myraw "name=\'(?<myNewField>[^\']+)\'"
 | stats count by myNewField

..

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...