splunk

vinod_52791 · ‎10-09-2020

I have logs like below

Email information for the template:payment_receipt_ppo_1 Posted Successfully with status:200

Email information for the template:DEV_1 Posted Successfully with status:200

Email information for the template:payment_1 Posted Successfully with status:400

i want to display like below

template

----------
payment_receipt_ppo_1
DEV_1
payment_1

ITWhisperer · ‎10-09-2020

| rex "template:(?<template>\S+)"

vinod_52791 · ‎10-09-2020

If i place the above field i.e "

template:(?<template>\S+)

I am getting below result

payment_receipt_ppo_
DEV_
payment_

so i noticed afer backspace 1 is missing for some logs and for some logs (if the value is dev template) i am getting dev only after space I.e remplate is missing in the result

vinod_52791 · ‎10-09-2020

i want full value like below

payment_receipt_ppo_1
DEV_1
payment_1

and one more thing space separated string is also not appearing

for example if i hav evalue is log is template:dev value

but i am getting dev only

please suggest any solution

ITWhisperer · ‎10-09-2020

Please show the logs that are not working in a code block (use </> above to insert the code block). This is so that it isn't formatted and potentially removing spaces from what is shown.

vinod_52791 · ‎10-09-2020

i didnt understand what you are saying?

ITWhisperer · ‎10-09-2020

When you paste your log entries, put them in a code sample by clicking on this symbolso we can see exactly what you have because the rex expression should have worked based on what you had pasted earlier.

splunk

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!