Solved: What is the regular expression for my sample event...

rajgowd1 · ‎11-16-2016

HI,
i am trying to extract the last field using field extractor but its not working. can anyone help me to write regex for below sample events?

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   HAOnly = 1;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   haLogStatus = enabled;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   logLen = 10485760;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   haLogPath = /logs/luna;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,HAConfiguration = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   CBOL-HA = 1;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,HASynchronize = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   VirtualToken00Members = 157803010,155322014;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   VirtualToken00SN = 1157803010;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   VirtualToken00Label = CBOL-HA;
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,VirtualToken = {
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,}
host = dm-a1fc-d5d3 source = /logs/conf/2016-11-15 sourcetype = systemdefault:hdmapp

Tue Nov 15 19:20:45 2016,dm-a1fc-d5d3,   ServerHtl01 = 0;

gokadroid · ‎11-16-2016

Try this which will extract values in fields called dateTime, myField1,myField2:

your query to return the events
| rex field=_raw "^(?<dateTime>[^,]+),(?<myField1>[^,]+),(?<myField2>.*)"
| table dateTime, myField1, myField2

View solution in original post

gokadroid · ‎11-16-2016

Try this which will extract values in fields called dateTime, myField1,myField2:

your query to return the events
| rex field=_raw "^(?<dateTime>[^,]+),(?<myField1>[^,]+),(?<myField2>.*)"
| table dateTime, myField1, myField2

rajgowd1 · ‎11-16-2016

Thank you,i am able do field extraction using delimiter and i will try this also

What is the regular expression for my sample events?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor