Splunk search regex how to??

hostedtower3 · ‎12-13-2012

from this string 'op-failed', 'text': "[Errno 2] bad format", 'time': 1355388330.578211, 'error': 'fetch-error'}
how can I extract the text between 'text' and 'time'?

I'm looking for a regex that would return [Errno 2] bad format

Thanks

lguinn2 · ‎12-13-2012

This should do it

'text:'\s*"(?<errorText>.*?)"

If you need to put in the rex command, you could use

\'text:\'\s*\"(?<errorText>.*?)\"

Otherwise the quotation marks may confuse the search parser.

Note that the resulting field is named errorText

lguinn2 · ‎12-14-2012

You could do a search like this

sourcetype="worker-stderr-*" op-failed "[Errno 2] bad format"

lguinn2 · ‎12-14-2012

Okay, the original question said that you wanted a regex that would extract a value. In Splunk terms, you are asking for a field: a field is defined by a regex and has a value based on what is extracted from the events. A regex that defines a field could be used with the rex command, or it could be used with the interactive field extractor.

If what you want is a search, then you need to edit your question. What exactly do you want to accomplish? I am not sure now that you need to use a regular expression at all.

hostedtower3 · ‎12-13-2012

this search query returns 0 items
sourcetype="worker-stderr-*" op-failed | regex _raw=\'text:\'\s*\"(?<errorText>.*?)\"

this search query returns 10 items
sourcetype="worker-stderr-*" op-failed

is this what you had in mind or am I missing something.
Thanks

hostedtower3 · ‎12-13-2012

How would the search query look like? (sorry I'm new to splunk)

the source type is sourcetype="worker-stderr-*"

Thanks.

Splunk search regex how to??

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life