Splunk Search

extract some text into a field with rex

dang
Path Finder

I'll preface my question by saying I've got zero experience with regular expressions, so don't be afraid to answer in small words to be read slowly by me.

I'm using Splunk to examine the event logs on some servers looking for details regarding application crashes with the following search:

index=main source=WinEventLog* Type=Error ComputerName=* SourceName="Application Error" 

This search returns a "Message" field that contains text which begins like this:

Faulting application name: w3wp.exe, version: 7.5.7601.17514, time stamp: 0x4ce7afa2...

I'm trying to extract a field with just the application name information in it (in this case "w3wp.exe") without the colon and space before it, and without the comma after it. I have no idea how to leverage rex o do this, but I assume that's what I want to do. There are other strings I'll want to pull out from this as well, if that changes the syntax - for example, "Faulting module name" and "Faulting module path"

Any recommendations on how to do this field extraction (without modifying props.conf or other files right now) are appreciated.

Tags (1)

dang
Path Finder

As it turns out, I didn't really need to use the rex command. Splunk's automatic field discovery already identified the data I was trying to grab as an "interesting field", so even though I wasn't able to get the suggestions to work (probably more a lack of understanding on my part, rather than any incorrect advice on Rob or wpreston's part), I've got the data I need.

Thanks to both of you for your assistance.

0 Karma

wpreston
Motivator

How about something like this (be sure to put the name of your field in there)?

... | rex field=Message "application\sname:\s(?<MyField>[^,\s]+)"

Rob
Splunk Employee
Splunk Employee

You can probably do that by adding the rex statement:

| rex field=Message "application\s+name:\s+(?<myApplicationName>[^,]+)\,"

The above rex bascically states, "go to the field named 'Message' and put whatever comes after 'application' followed by one or more space, followed by 'name' followed by a colon, followed by one or more spaces, the grab any character that is not a comma and add it to the field named 'myApplicationName' and stop looking for a match when we reach a comma.

As a side note, I escaped all of the non-alphanumeric characters as I prefer to make sure there is no ambiguity in the regex.

Rob
Splunk Employee
Splunk Employee

Sorry, I edited the above regex as there were some errors after the answers formatting removed some slashes, etc.

0 Karma

dang
Path Finder

That didn't quite seem to work. What it does when I add it to the end of my search is that it creates a new field called "myApplicationName" but there's no data in the field, even when there is data in the "Message" field.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!