Hi all,
I'm trying to do a field extraction of database name (let's call the field "DBname") from logs that come in 2 formats:
Jan 19 15:58:06 192.168.1.2 Jan 19 15:58:06 Message forwarded from Database1: Oracle Audit blablablabla Jan 20 06:36:17 192.168.1.3 Jan 20 06:36:17 Database2 journal: Oracle Audit blablablablabla Jan 21 06:36:17 192.168.1.4 Jan 21 06:36:17 Database_10 journal: Oracle Audit blablablablabla Jan 22 15:58:06 192.168.1.5 Jan 22 15:58:06 Message forwarded from Database4: Oracle Audit blablablabla Jan 23 15:58:06 192.168.1.6 Jan 23 15:58:06 Message forwarded from prmds1: Oracle Audit blablablabla Jan 24 15:58:06 192.168.1.7 Jan 24 15:58:06 Message forwarded from Database_15: Oracle Audit blablablabla Jan 26 15:58:06 192.168.1.9 Jan 26 15:58:06 Message forwarded from prmds2: Oracle Audit blablablabla Jan 27 15:58:06 192.168.1.8 Jan 27 15:58:06 fafa32 journal: Oracle Audit blablablablabla
So, the "DBname" field value comes after "Message forwarded from" or before "journal". Splunk fails with the regex and unfortunately so do I. I found it's an issue that the events are so similarly formatted in this case 😄 My question is if I am missing something with the regex or I should approach it in a completely different manner.
Thank you for the help!
... View more
