Splunk Search

rex command to extract

Path Finder

[2020-07-07 12:40:01+0200] workspace_sandbox RUNNING pid 17159, uptime 21 days, 21:43:58

 

i have this line of log but i want to extract only workspace_sandbox as a field called Services

 

im using rex "(^(?<Service>\s\s\w+.\w+))\s\s" but having no luck. 

 

Also want to extract "Running" as status

 

 

Labels (3)
Tags (1)
0 Karma
1 Solution

Legend

Hi @sphiwee ,

please, try this

| rex "\]\s+(?<service>[^ ]+)\s+(?<status>[^ ]+)"

that you can test at https://regex101.com/r/ursNeq/1

Ciao.

Giuseppe

View solution in original post

Ultra Champion

| rex "\]\s(?<Service>\S+) (?<status>\S+)"

 

Path Finder

sphiwee_0-1594122964722.png

 

This is what i get, dont think it has to be like this.. any ideas?

 

0 Karma

Legend

Hi @sphiwee ,

please, try this

| rex "\]\s+(?<service>[^ ]+)\s+(?<status>[^ ]+)"

that you can test at https://regex101.com/r/ursNeq/1

Ciao.

Giuseppe

View solution in original post

Path Finder

thanks, you're a legend.

0 Karma

Legend

Hi @sphiwee ,

You're welcome!

Karma Points are appreciated.

Ciao.

Giuseppe

Tags (1)