Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to extract this fields

christian75
Engager
‎05-14-2021 05:50 AM

When i try to extract BiosMake fields in my log file with field extraction (Mode regex).I have this:Error in 'rex' command: regex="^\w+="\d+\.\d+\.\d+\.\d+"\s+\w+=\w+\d+\s+\w+=\d+\s+\w+=\w+\-\w+\s+\d+\-\w+\s+\w+=\d+\.\d+\s+\w+=\w+\d+\s+\w+\.\s+\d+\.\d+\.\d+\s+\w+=\d+\s+\w+=\d+\w+\d+\s+\d+:\d+:\d+\.\d+\s+\w+=\w+\.\w+\.\w+\\\w+\-\w+\-\w+\d+\w+\s+\w+=\w+\d+\s+\w+\s+\d+\s+\w+\s+\w+=\w+\s+\w+\s+\w+=\w+\d+\s+\w+=(?P<volumeEncryptionState>\w+)" has exceeded configured match_limit, consider raising the value in limits.conf

this is my log:

 

AgentVersion="2.5.1126.0" ComputerManufacturerName=ASDA3101705 iscompliant=1 policyCipherStrength=AES-CBC 128-Bit TpmVersion=1.4 BiosVersion=N75 Ver. 01.33 Id=292629 LatestEntry=2021May14 14:31:36.077 MachinesUsersNames=eu.airbus.corp\TA-ADMIN-ST40783 OperatingSystemName=ASDA3101705 Windows 10 Enterprise ComputerType=Portable Name=ASDA3101705 volumeEncryptionState=Encrypting TpmMake=IFX  BiosMake=Phoenix Technologies LTD
Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-14-2021 06:02 AM

Hi @christian75,

if your volumeEncryptionState field hasn't any space in the value, please try this regex

| rex "volumeEncryptionState\=(?<volumeEncryptionState>[^ ]+)"

that you can test at https://regex101.com/r/nejG4v/1

otherwise, please test this:

| rex "volumeEncryptionState\=(?<volumeEncryptionState>.+)\s+TpmMake"

 that you can test at https://regex101.com/r/nejG4v/2

Ciao.

Giuseppe

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-14-2021 06:01 AM

Do you not need to escape the embedded double quotes?

regex="^\w+=\"\d+\.\d+\.\d+\.\d+\"\s+\w+=\w+\d+\s+\w+=\d+\s+\w+=\w+\-\w+\s+\d+\-\w+\s+\w+=\d+\.\d+\s+\w+=\w+\d+\s+\w+\.\s+\d+\.\d+\.\d+\s+\w+=\d+\s+\w+=\d+\w+\d+\s+\d+:\d+:\d+\.\d+\s+\w+=\w+\.\w+\.\w+\\\w+\-\w+\-\w+\d+\w+\s+\w+=\w+\d+\s+\w+\s+\d+\s+\w+\s+\w+=\w+\s+\w+\s+\w+=\w+\d+\s+\w+=(?P<volumeEncryptionState>\w+)"
0 Karma
Reply

aasabatini
Motivator
‎05-14-2021 06:01 AM

Hi @christian75 

I suppose your regex is to heavy and generate and error anyway I suggest to use automatic key value extraction

https://docs.splunk.com/Documentation/Splunk/8.1.3/Knowledge/Automatickey-valuefieldextractionsatsea...

however if you need a new light regex you can use this:

 

 

BiosMake=(?<biosmake>[^ ].+)

 

 hope can help

Ale

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...