rex pattern to create a field

iamtrying · ‎05-23-2019

Hi,
I have this string in the log.

439 XObk5g6CUI62-gr3UIKfXAAAAAs 1@43465473@A

and I want to create a field out the string in the bold.

Please mind that 439 and 1@43465473@A are not constant.

Thanks for the help!

Saurabh

vnravikumar · ‎05-23-2019

Hi @iamtrying

Try this also

| makeresults 
| eval msg="439 XObk5g6CUI62-gr3UIKfXAAAAAs 1@43465473@A", result = mvindex(split(msg," "),1)

nabeel652 · ‎05-23-2019

Try this

| makeresults | fields - _time | eval rawdata="439 XObk5g6CUI62-gr3UIKfXAAAAAs 1@43465473@A" | rex field=rawdata "^\d+\s(?<myField>[^\s]*)\s"

More general regex would be:

| makeresults | fields - _time | eval rawdata="439 XObk5g6CUI62-gr3UIKfXAAAAAs 1@43465473@A" | rex field=rawdata "^.*?\s(?<myField>[^\s]*)"

iamtrying · ‎05-24-2019

the whole string looks like this

I 2019-05-23 22:27:15.886Z 5960 1712 XOceMpk7Ph@Lna20eJwxXwAAAAU 1@43465473@A WPB-Log: file=/users/source/testr.cls method=testmethod ID= ok=1 ProcessedBankTxnCount=2 TxnRecord=289 NumOfProcessedTxns=1

I am using
rex field=rawdata "^\d+\s(?[^\s]*)\s" | table myField

but it does not match anything.

Am I missing anything?

nabeel652 · ‎05-26-2019

You need to skip time stamp and then few other fields:

Use this

| makeresults | fields - _time | eval rawdata="I 2019-05-23 22:27:15.886Z 5960 1712 XOceMpk7Ph@Lna20eJwxXwAAAAU 1@43465473@A WPB-Log: file=/users/source/testr.cls method=testmethod ID= ok=1 ProcessedBankTxnCount=2 TxnRecord=289 NumOfProcessedTxns=1" | rex field=rawdata ".*?\s.*?\s.*?\s.*?\s.*?\s(?<myField>[^\s]*)" | table myField

rex pattern to create a field

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming

Are you a member of the Splunk Community?

rex pattern to create a field

Exciting News: The AppDynamics Community Joins Splunk!

The All New Performance Insights for Splunk

Good Sourcetype Naming