Splunk Search

regex exclude nth word in the event

ppatkar
Path Finder

I want to ignore the actual file name in my exception events so I can group the exceptions .

For example, regex on below event should extract only  "Error File not found !!!"  and ignore the actual filename in between.

 

 

Error File abracadabra.gz not found !!!

 

 

Can you please advise on how to exclude this word in between the fixed format of words .

Thank you.

Labels (1)

ITWhisperer
Ultra Champion

To drop the 3rd word

| rex mode=sed "s/^(\S+\s)(\S+\s)(\S+\s)/\1\2/g"

or for more precision

| rex mode=sed "s/^(Error File )(\S+\s)(not found)/\1\3/g"

 

manjunathmeti
Champion

Use rex with sed mode:

| makeresults | eval test="Error File abracadabra.gz not found !!!" | rex field=test mode=sed "s/\s\w+\.(gz|tgz|zip)//g"

 

If this reply helps you, an upvote/like would be appreciated.

ppatkar
Path Finder

HI @manjunathmeti @ITWhisperer , Thank you for your quick reply . I have a followup question as I intend to use capture group to gather errors . My existing search is something like below :

index=*  "IOError" OR  "file does not exist"  | 
rex field=_raw max_match=1 "IOError:(?<IO_ERROR>.*)" |
rex field=_raw max_match=1 "MESSAGE=(?<FILE_ERROR>file does not exist[^\d|]+)" |
... | eval ERROR_LOG = coalesce(IO_ERROR,FILE_ERROR...) 

Can I incorporate the sed mode in this type of capture group or is there any other way ?

Thank you for all your help

 

0 Karma

ITWhisperer
Ultra Champion

rex either works in capture mode or sed mode - you could use a separate rex to edit the captured field

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!