Splunk Search

need help to write regex for the below events

kavyakanne
Engager

Attached are my events I want rex to extract the highlighted text from the events and the events are logged under the field name JobName

========================================================
krwesx05.krw.app.com-IDPD3VPSEC01-Daily-Incremental-Backup-to-Disk
krwesx06.krw.app.com-krwbe3-Daily-Incremental-Backup-to-Disk
IDPD2VPIVC01-Application-02-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Web-Server-01-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Mail-Server-01-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-File-Servers-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Mail-Server-01-Daily-Incremental-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-KRWHR1-Backup-Daily-Incremental-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Application-03-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Application-01-Daily-Incremental-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC02-Application-03-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Application-02-Daily-Incremental-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Active-Directory-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Application-01-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC02-Active-Directory-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Mail-Server-02-KRWLN3-Daily-Incremental-Backup-to-StoreOnce-Catalyst
idwikppads01.app.com-Daily-Incremental-Backup-to-VTL
APP_Gold_VM_Image_Backup_01-Daily-Incremental-Backup-to-VTL
APP_Global_AD-Daily-Incremental-Backup-to-VTL

SRPWEB9-Daily-Incremental-Backup-to-VTL

Post rex I would want results like

Daily-Incremental-Backup
Weekly-Full-Backup

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Here's one regex string. It's not as efficient as I would like, though.

| rex "(?<jobName>(?:Daily|Weekly)-\w+-Backup)"

This one is a little different, but a lot more efficient.

| rex "-(?<jobName>\w+-\w+-Backup)-"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Here's one regex string. It's not as efficient as I would like, though.

| rex "(?<jobName>(?:Daily|Weekly)-\w+-Backup)"

This one is a little different, but a lot more efficient.

| rex "-(?<jobName>\w+-\w+-Backup)-"
---
If this reply helps you, Karma would be appreciated.
0 Karma

kavyakanne
Engager

Thanks a ton! :slightly_smiling_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...