Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

rex not working for log4j

pcorchary
Explorer
‎02-01-2012 12:57 PM

trying to extract COMPANY from each matched log line, given tomcat log4j lines like this:

31 Jan 2012 23:59:39,963 [com.action.ProcessPassword] (TP-Processor87) (8e48955b5d66036:24.6.170.156) DEBUG: Started executeExternalProcessPassword() for name @ COMPANY

why doesn't this rex work? (no results)

index="myIndex" rex field=_raw "executeExternalProcessPassword.* @ (?<org>.*)"

just index="myIndex" "executeExternalProcessPassword" returns 22k+ lines from just one day log span

this works perfectly:

perl -ne 'if (/executeExternalProcessPassword.*@(.+)$/) {print "$1\n"}' catalina.out
Tags (2)
0 Karma
Reply

lguinn2
Legend
‎02-01-2012 01:20 PM

The spacing appears different in the different regexes that you are showing. Maybe it's just the linebreaking or the font of your post, though. Try

index=myIndex | rex "executeExternalProcessPassword.*@(?<org>.+)$"
Reply

dwaddle
SplunkTrust
SplunkTrust
‎02-01-2012 01:33 PM

We were discussing this in #splunk IRC, and the missing pipe character before rex in the question/example turned out to be the real culprit.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...