Solved: rex field? - extraction

André · ‎10-29-2021

Hi,

I want to extract the following term from this message:

(MaRSEPbac, [MaRSEPbac_Old2], [MaRSEPbac])

that means the string between ()..

message:
16:21:32.843 [35m[gcp-pubsub-subscriber1][0;39m [34mINFO [0;39m zbank.harissa.cockpit.InboundGateway - update: [export_service] context:RDB (MaRSEPbac, [MaRSEPbac_Old2], [MaRSEPbac]) progress:3/3 status:successful msg:exporting rrid: [8d9a85b8-0d34-4dea-8901-17520b4b9b9d] rrid:f50a0cce-af13-4e64-88aa-84de045380ca

How does it goes?

Thanks!

gcusello · ‎10-29-2021

Hi @André,

can you confirm that in your logs there's always the string "context:"?

if yes, you could use this regex:

| rex "context:\w+\s\((?<your_field>[^\)]+)"

that you can test at https://regex101.com/r/irfJhy/1

If the above condition isn't present, please share a fixed point in your logs.

Ciao.

Giuseppe

View solution in original post

André · ‎10-29-2021

Thanks Giuseppe, it works:

Thanks for link!

gcusello · ‎10-29-2021

Hi @André,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎10-29-2021

Hi @André,

can you confirm that in your logs there's always the string "context:"?

if yes, you could use this regex:

| rex "context:\w+\s\((?<your_field>[^\)]+)"

that you can test at https://regex101.com/r/irfJhy/1

If the above condition isn't present, please share a fixed point in your logs.

Ciao.

Giuseppe

rex field? - extraction

rex

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

rex field? - extraction

rex

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine