Splunk Search

Using regex in Splunk

darpohsh
New Member

I would like to be able to extract some details from the logs, namely "AR1" and "SIN" as 2 fields and a 3rd field with the status after the text 'AR1(SIN)-'.

# print: msg: AR1(SIN)-rollout: Group 1 started (06:25:51)

# print: msg: AR1(SIN)-rollout: Group 1 completed (06:41:08)

Any advise on what is the regex that I should use in my Splunk query?

Tags (2)
0 Karma
1 Solution

ranjyotiprakash
Communicator

you have two options :

1 .either perform field extraction using configurations in inputs.conf, props.conf, transforms.conf link text

or option 2. do field extraction directly in search command using rex link text

if using rex command, you can use something like this :

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | table field1, field2, field3

or

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | your search query

View solution in original post

0 Karma

ranjyotiprakash
Communicator

you have two options :

1 .either perform field extraction using configurations in inputs.conf, props.conf, transforms.conf link text

or option 2. do field extraction directly in search command using rex link text

if using rex command, you can use something like this :

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | table field1, field2, field3

or

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | your search query
0 Karma

ranjyotiprakash
Communicator

yes .. i missed escaping the extra parenthesis. thanks.

0 Karma

darpohsh
New Member

Thank you @ranjyotiprakash. With a slight modification, I was able to get it 🙂

..... | rex field = _raw ".*\s+msg:\s+(?\S+)\((?\S+)\)-(?.*)" | table field1, field2, field3
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...