rex field extraction

anoopambli · ‎11-28-2014

I am getting familiar with splunk commands, trying to extract hostname from an extracted field called monitor_name. monitor_name field data look like this,

[Linux][FWA Electronic Channel Messaging][l91oma1][Process][SS][/fiwlspoma4/was/INSTANCE1/profiles/base/servers/server1][error]
[Linux][Baseline][vlrtp569][Process][OSWatcher][SiSExclude]
[Linux][Baseline][vlrtp123][Process][srmclient][SiSExclude]

I would like to extract l91oma1, vlrtp569,vlrtp123 from the above field using rex command. Can someone help me with the regular expression.

chimell · ‎12-11-2016

Hi anoopambli

This search code work well

...................................|rex max_match=0 field=_raw "\[Linux\]\[[a-zA-Z\s+]+\]\[(?<monitor_name>[^\]]+)\]"|mvexpand monitor_name|table monitor_name

Look at my result

kml_uvce · ‎11-28-2014

use this

rex field=_raw "^(?:[^\[\n]*\[){3}(?P<fieldname>\w+)"

aholzer · ‎11-28-2014

@kml_uvce your escaping backslashes were lost since you forgot to use the "code" tags around your regex. The regex should actually look like below:

rex field=_raw "^(?:[^\[\n]*[){3}(?P<fieldname>w+)"

somesoni2 · ‎11-28-2014

And there is backslash missing before "w+" as well. So it should be

rex field=_raw "^(?:[^\[\n]*[){3}(?P<fieldname>\w+)"

anoopambli · ‎12-01-2014

Thanks everyone, that helped me.

rex field extraction

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?