Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

use rex to define a string as a field

c799651
Explorer
‎10-07-2020 05:51 PM

Hi,

 

I have an index that returns alarms with details as  string. I want to define the text in bold  as a field. The string can vary according the the alarm event. 

07/10/2020 23:59:06 [37104$0]: sndala.cxx.68: disk space is less than threshold ,TYPE=SINGLE, LEVEL=major...

 

thanks

Labels (1)
Labels
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-07-2020 09:20 PM

(edited)tested and its working fine:

 

| makeresults 
| eval log="07/10/2020 23:59:06 [37104$0]: sndala.cxx.1185: disk space is less than threshold ,TYPE=SINGLE, LEVEL=major" 
|rex field=log "cxx\.1185\:(?<errortype>.*)\ \," | table errortype

 

 

(PS - i have given around 500+ karma points so far, received badge for that, if an answer helped you, a karma point would be nice!. we all should start "Learn, Give Back, Have Fun") 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-07-2020 07:09 PM

 

Hi @c799651 your question was bit confusing.. so i assumed that you want to use rex to extract...

| makeresults 
| eval log="07/10/2020 23:59:06 [37104$0]: sndala.cxx.68: disk space is less than threshold ,TYPE=SINGLE, LEVEL=major" 
|rex field=log "\:\ (?<LogEvent>.*)\,TYPE" | table LogEvent

 rex-example.jpg

(PS - i have given around 500+ karma points so far, received badge for that, if an answer helped you, a karma point would be nice!. we all should start "Learn, Give Back, Have Fun")

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

c799651
Explorer
‎10-07-2020 08:23 PM

Thanks and sorry I was not clear.

I basically want to use rex to define a string as field called errortype

as an example the event may contain the following

cxx.1185:  An IP address becomes unavailable , 

or another error may be

cxx.1185:  Map is full ,

this is what I tried 

 

 

the error description is always after the cxx.1185 and before the next comma,

 

This almost worked, but I can't work out how to pattern match everything after cxx.1185:  and before the next  comma. I tried things like " *," but that didn't work

index=alarm-app-n 
| rex field=_raw "cxx.1185:(?<errortype>*,)"

 

I worked it out  after I bit more searching on splunk answers. This works

index=alarm-app-n LEVEL=major
| rex field=_raw "cxx.1185:(?<errortype>[^,]+)"

 

 

 

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...