Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Rex for different pattern of same fields within same event

sh254087
Communicator
‎07-18-2019 05:59 AM

Trying to formulate a Regex that would work with events something like the below one. When I tried extracting the fields, I did not get to the expected output as the field name I'm looking at is same for values of different pattern. The rex was either failing or throwing error about using duplicate field name.

Sample Event entry:
No machines for project Print-Demo
No machines for project Kimkeen_POC
No machines for project Default Project
Project name: ABCD Life, Machine name:hlstocpra2, Status:STARTED, Backlog bytes:0, Last consistency:Still replicating
Project name: ABCD Life, Machine name:HKWONDERSVD02, Status:PAUSED, Backlog bytes:0, Last consistency:Still replicating
Project name: ABCD Life, Machine name:hlstocpraw2, Status:PAUSED, Backlog bytes:0, Last consistency:Still replicating
No machines for project Print
No machines for project Demo2
No machines for project Test_migrate

Expected extraction and output:
alt text

Looking for help in extracting the fields with all the values to be presented in individual rows.

Preview file
129 KB
0 Karma
Reply

wenthold
Communicator
‎07-18-2019 09:10 AM

I'm not sure if you should use a more complex single rex command, but you can:

| rex "[Pp]roject (?:name: )?(?<ProjectName>[^\,\r\n]+)(?:\, Machine name\:(?<MachineName>[^\,]+)\, Status\:(?<JobStatus>[^\,]+)\, Backlog bytes\:(?<BacklogBytes>[0-9]+)\, Last consistency\:(?<LastConsistency>.*))?"
| table ProjectName, MachineName, JobStatus, BacklogBytes, LastConsistency
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-18-2019 06:19 AM

Hi sh254087,
I suggest to use two different regexes, one for No machines and one for machines the merge machine name fields using coalesce, in othe words:

| rex "(No machines for project )(?<Project_Name1>.*)"
| rex "(?ms)Project name: (?<Project_Name2>[^,]*), Machine name:(?<Machine_Name>[^,]*), Status:(?<Status>[^,]*), Backlog bytes:(?<Backlog_bytes>[^,]*)"
| eval Project_name=coalesce(Project_name1,Project_name2)

you can test it at https://regex101.com/r/X3pgrK/2

Bye.
Giuseppe

0 Karma
Reply

sh254087
Communicator
‎07-18-2019 06:06 AM

Please help @niketnilay
@shwetas

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...