Hi All, I kindly request your help to get fields extracted from database column. I'm working on splunk db-connect app. Can anyone please provide me sample sql query to extract subfields from status field? For e.g. I would need something like msg=login failed, host and ip fields to be extracted from below unique database records.  Sample Database output with unique records from splunk db-connect app:  Date   User  Input        Status   xxx     abc      123        login failed...                                             host=xyz |                                             ip=0.0.0.0 |  yyy      xyz      456       login successful  zzz     pqr       789       host=xyz |                                            ip=0.0.0.0 |   Appreciate your help!!                                          ... View more

Hi Community, I would need your help in extracting multi field values from the below sample. I have a regex below which is not helping me in extracting multi field values, It's just extracting first value from the  below log sample. So could you help me in modifying the regex please? Thanks in advance. Regex: \w+[\s+\-\:\w+]*=(?:[^\\,]+)* e.g. multivalue field is dhcp-parameter-request-list=1\, 22\, 3\, 4\, 77\, 55\, 99\, 200\, Current Result: dhcp-parameter-request-list=1 (Pls note just 1 is extracted from my regex but i would need other values i.e. 22, 3, 4, 77, 55, 77, 99 and 200 to get extracted as well)  Log source Sample: Oct 19 16:55:17 xxxxx33 xxx_profiler 000324 1 0 2020-10-19 16:55:17:108 +01:00 000628 80002 INFO Profiler: Profiler Endpoint Profiling event occured, configversionid=xxxx, Endpointcertainitymetric=50, EndpointIPAddress=xx.xx.xx.xxx, EndpointProperty=dhcp-class-identifier=xx.xxx.com\, Policyversion=000\, AuthenticationIdentityStore=Internal Endpoints\, lldpcachecapabilities=B\;T\, EndpointPolicyID=xxx-xxx-xxxxx\, LogicalProfile=xxx-xxx-xx\, xxx-xxxx-xxxx\, AuthenticationMethod=lookup\, FirstCollection=1518577\, CacheUpdateTime=10000\, IdentityAtoreGUID=\, StaticAssignment=false\, UserName=xxx\, NmapScanCpunt=0\, NetwrokDeviceName=xx.xx.xx.com\, DestIPAddress=xx.xx.xxx.xx\, AAA-Server=xxx\, MessageCode=000\, Device Type= Device Type#All Device Types\,PortalUser=\, AllowedProtocalMatchedRule=Wired_MM\, ciaddre=x.x.x.x\, BYODRegistration=Unknown\, Calling-Station-ID=xx-xx-xx-xx\, dhcp-requested-address=xx.xx.xx.xx\, FailureReason=-\, dhcp-parameter-request-list=1\, XX\, X\, X\, XX\, XX\, XX\, XXX\, PostureApplicable=Yes\, Description=Voice:XXX Phones Caanry Waref #VLAN:IPT-VOICE#TYPE:VOICE#SYNC:1.0\, phoneID=\, hostname=xxxx\, NAS-Port-Id=Gigabit Ethernet/x/xx\, location=location #all locations#\, uniquesubjectid=, EndpointSourceEvent=DNS Probe, EndpointIdentityGroup=xxx_Phones, ProfileServer=xx.xx.xx.xx, ... View more

Hello Splunkers, I'm working on creating a DB health check report. Idea is to get the  error info when there is  a failed db connection.  When I'm trying to run the search below in Splunk QA I'm getting an error as Error in 'rex' command: Encountered the following error while compiling the regex '^(?<error>.*)\n?': Regex: syntax error in subpattern name (missing terminator). Could you please help me resolve this issue? Thanks in advance.  index="_internal" sourcetype=dbx_job_metrics input_name=* connection="*" | eval event_time=strftime(_time,"%m/%d/%y %H:%M:%S") | join type=left connection [search index="_internal" sourcetype=dbx_server ERROR | rex field=_raw "^(?<error>.*)\n?" | rex field=error "/api/connections/(?<connection>[^/]+)"] | stats latest(event_time) as event_time latest(host) as HF latest(connection) as connection latest(status) as status latest(error) as error by input_name | sort - status ... View more