Solved: Using regex in Splunk

darpohsh · ‎07-09-2013

I would like to be able to extract some details from the logs, namely "AR1" and "SIN" as 2 fields and a 3rd field with the status after the text 'AR1(SIN)-'.

# print: msg: AR1(SIN)-rollout: Group 1 started (06:25:51)

# print: msg: AR1(SIN)-rollout: Group 1 completed (06:41:08)

Any advise on what is the regex that I should use in my Splunk query?

ranjyotiprakash · ‎07-09-2013

you have two options :

1 .either perform field extraction using configurations in inputs.conf, props.conf, transforms.conf link text

or option 2. do field extraction directly in search command using rex link text

if using rex command, you can use something like this :

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | table field1, field2, field3

or

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | your search query

View solution in original post

ranjyotiprakash · ‎07-09-2013

you have two options :

1 .either perform field extraction using configurations in inputs.conf, props.conf, transforms.conf link text

or option 2. do field extraction directly in search command using rex link text

if using rex command, you can use something like this :

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | table field1, field2, field3

or

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | your search query

ranjyotiprakash · ‎07-12-2013

yes .. i missed escaping the extra parenthesis. thanks.

darpohsh · ‎07-10-2013

Thank you @ranjyotiprakash. With a slight modification, I was able to get it 🙂

..... | rex field = _raw ".*\s+msg:\s+(?\S+)\((?\S+)\)-(?.*)" | table field1, field2, field3

Using regex in Splunk

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!