Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help required on regex

rangarbus
Path Finder
‎05-25-2021 08:56 PM

Hello Friends,

I am looking for your help for a rex expression.

message =  [2021-05-26 00:00:33,477] {taskinstance.py:669} INFO - Dependencies all met for <TaskInstance: example_dag_oidc.test_bash 2021-05-25 00:00:00+00:00 [None]> 

I would like to split this message field as below fields:

  • logDateTime = 2021-05-26 00:00:33,477
  • logLevel = INFO
  • logMessage = Dependencies all met for <TaskInstance: example_dag_oidc.test_bash 2021-05-25 00:00:00+00:00 [None]> 

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

eddieddieddie
Path Finder
‎05-25-2021 09:16 PM

Try the following regex with the rex command:

 

"\[(?<logDateTime>[\d, :,-]+)\].+ (?<logLevel>\w+) - (?<logMessage>.+)"

 

In Splunk SPL it would look like this (assuming that the raw data is in a field called 'message'):

 

| rex field=message "\[(?<logDateTime>[\d, :,-]+)\].+ (?<logLevel>\w+) - (?<logMessage>.+)"
| table logDateTime logLevel logMessage

 

 

Hopefully that suits your needs?

Eddie

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

eddieddieddie
Path Finder
‎05-25-2021 09:16 PM

Try the following regex with the rex command:

 

"\[(?<logDateTime>[\d, :,-]+)\].+ (?<logLevel>\w+) - (?<logMessage>.+)"

 

In Splunk SPL it would look like this (assuming that the raw data is in a field called 'message'):

 

| rex field=message "\[(?<logDateTime>[\d, :,-]+)\].+ (?<logLevel>\w+) - (?<logMessage>.+)"
| table logDateTime logLevel logMessage

 

 

Hopefully that suits your needs?

Eddie

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...