Solved: Re: Using regex in Splunk

darpohsh · ‎07-09-2013

I would like to be able to extract some details from the logs, namely "AR1" and "SIN" as 2 fields and a 3rd field with the status after the text 'AR1(SIN)-'.

# print: msg: AR1(SIN)-rollout: Group 1 started (06:25:51)

# print: msg: AR1(SIN)-rollout: Group 1 completed (06:41:08)

Any advise on what is the regex that I should use in my Splunk query?

ranjyotiprakash · ‎07-09-2013

you have two options :

1 .either perform field extraction using configurations in inputs.conf, props.conf, transforms.conf link text

or option 2. do field extraction directly in search command using rex link text

if using rex command, you can use something like this :

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | table field1, field2, field3

or

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | your search query

View solution in original post

ranjyotiprakash · ‎07-09-2013

you have two options :

1 .either perform field extraction using configurations in inputs.conf, props.conf, transforms.conf link text

or option 2. do field extraction directly in search command using rex link text

if using rex command, you can use something like this :

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | table field1, field2, field3

or

..... | rex field = _raw ".*\s+msg:\s+(?<field1>\S+)\s+((?<field2>\S+))-(?<field3>.*)" | your search query

ranjyotiprakash · ‎07-12-2013

yes .. i missed escaping the extra parenthesis. thanks.

darpohsh · ‎07-10-2013

Thank you @ranjyotiprakash. With a slight modification, I was able to get it 🙂

..... | rex field = _raw ".*\s+msg:\s+(?\S+)\((?\S+)\)-(?.*)" | table field1, field2, field3

Using regex in Splunk

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases