Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Splunk search regex how to??
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk search regex how to??
hostedtower3
New Member
12-13-2012
11:49 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
12-13-2012
01:09 PM
This should do it
'text:'\s*"(?<errorText>.*?)"
If you need to put in the rex command, you could use
\'text:\'\s*\"(?<errorText>.*?)\"
Otherwise the quotation marks may confuse the search parser.
Note that the resulting field is named errorText
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
12-14-2012
10:27 AM
You could do a search like this
sourcetype="worker-stderr-*" op-failed "[Errno 2] bad format"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
12-14-2012
10:26 AM
Okay, the original question said that you wanted a regex that would extract a value. In Splunk terms, you are asking for a field: a field is defined by a regex and has a value based on what is extracted from the events. A regex that defines a field could be used with the rex command, or it could be used with the interactive field extractor.
If what you want is a search, then you need to edit your question. What exactly do you want to accomplish? I am not sure now that you need to use a regular expression at all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hostedtower3
New Member
12-13-2012
04:17 PM
this search query returns 0 items
sourcetype="worker-stderr-*" op-failed | regex _raw=\'text:\'\s*\"(?<errorText>.*?)\"
this search query returns 10 items
sourcetype="worker-stderr-*" op-failed
is this what you had in mind or am I missing something.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hostedtower3
New Member
12-13-2012
03:38 PM
How would the search query look like? (sorry I'm new to splunk)
the source type is sourcetype="worker-stderr-*"
Thanks.
Get Updates on the Splunk Community!
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
