Splunk Search

Using regex in Splunk

darpohsh
New Member

I would like to be able to extract some details from the logs, namely "AR1" and "SIN" as 2 fields and a 3rd field with the status after the text 'AR1(SIN)-'.

# print: msg: AR1(SIN)-rollout: Group 1 started (06:25:51)

# print: msg: AR1(SIN)-rollout: Group 1 completed (06:41:08)

Any advise on what is the regex that I should use in my Splunk query?

Tags (2)
0 Karma
1 Solution

ranjyotiprakash
Communicator

you have two options :

1 .either perform field extraction using configurations in inputs.conf, props.conf, transforms.conf link text

or option 2. do field extraction directly in search command using rex link text

if using rex command, you can use something like this :

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | table field1, field2, field3

or

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | your search query

View solution in original post

0 Karma

ranjyotiprakash
Communicator

you have two options :

1 .either perform field extraction using configurations in inputs.conf, props.conf, transforms.conf link text

or option 2. do field extraction directly in search command using rex link text

if using rex command, you can use something like this :

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | table field1, field2, field3

or

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | your search query
0 Karma

ranjyotiprakash
Communicator

yes .. i missed escaping the extra parenthesis. thanks.

0 Karma

darpohsh
New Member

Thank you @ranjyotiprakash. With a slight modification, I was able to get it :slightly_smiling_face:

..... | rex field = _raw ".*\s+msg:\s+(?\S+)\((?\S+)\)-(?.*)" | table field1, field2, field3
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...