Splunk Search

Why am I getting "Argument 'value' contains invalid character" trying to extract a log level field with my regular expression?

zharkov83
Engager

I'm trying to extract a log level field from my file using regex. I've tried different searches, including automatically generated by the system, but always have the same error:

In handler 'props-extract': Argument 'value' contains invalid character : ^(?:[^\]\n]*\]){2}\[\[\d+;\d+m(?<Level>\w+)\[\d+;\d+\w+\s+\]

Log line looks like this:

[2016-02-04 03:48:04,989][MNG  ][ERROR   ][Service Manager] No camera settings in Set_CV_Camera_Settings event

When I use Search page and generate request - it's Ok:

index=* OR index=_* sourcetype=cv_manager_supervisor | rex field=_raw "(?ms)^(?:[^\\]\\n]*\\]){2}\\[\\[\\d+;\\d+m(?<Level>\\w+)\\[\\d+;\\d+\\w+\\s+\\]" offset_field=_extracted_fields_bounds | search Level=ERROR | rex field=_raw "^[^\\]\\n]*\\]\\[(?P<ProcessName>[^\\]]+)" offset_field=_extracted_fields_bounds0

Result on Search page:

[2016-02-04 03:48:06,353][MNG  ][ERROR   ][Service Manager] No camera settings in Set_CV_Camera_Settings event
Level = ERROR ProcessName = MNG sourcetype = cv_manager_supervisor

Splunk version = 6.3.2

Please help....

0 Karma
1 Solution

somesoni2
Revered Legend

Try this as your field extraction regex

^(?:[^;]+);(\d+)m(?P<Log_Level>\w+)

View solution in original post

somesoni2
Revered Legend

Try this as your field extraction regex

^(?:[^;]+);(\d+)m(?P<Log_Level>\w+)

zharkov83
Engager

Great! Thank you very much! It's work for my case very well! )
But i still do not understand why my regexp don't work :disappointed_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...