Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help required on regex

rangarbus
Path Finder
‎05-25-2021 08:56 PM

Hello Friends,

I am looking for your help for a rex expression.

message =  [2021-05-26 00:00:33,477] {taskinstance.py:669} INFO - Dependencies all met for <TaskInstance: example_dag_oidc.test_bash 2021-05-25 00:00:00+00:00 [None]> 

I would like to split this message field as below fields:

  • logDateTime = 2021-05-26 00:00:33,477
  • logLevel = INFO
  • logMessage = Dependencies all met for <TaskInstance: example_dag_oidc.test_bash 2021-05-25 00:00:00+00:00 [None]> 

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

eddieddieddie
Path Finder
‎05-25-2021 09:16 PM

Try the following regex with the rex command:

 

"\[(?<logDateTime>[\d, :,-]+)\].+ (?<logLevel>\w+) - (?<logMessage>.+)"

 

In Splunk SPL it would look like this (assuming that the raw data is in a field called 'message'):

 

| rex field=message "\[(?<logDateTime>[\d, :,-]+)\].+ (?<logLevel>\w+) - (?<logMessage>.+)"
| table logDateTime logLevel logMessage

 

 

Hopefully that suits your needs?

Eddie

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

eddieddieddie
Path Finder
‎05-25-2021 09:16 PM

Try the following regex with the rex command:

 

"\[(?<logDateTime>[\d, :,-]+)\].+ (?<logLevel>\w+) - (?<logMessage>.+)"

 

In Splunk SPL it would look like this (assuming that the raw data is in a field called 'message'):

 

| rex field=message "\[(?<logDateTime>[\d, :,-]+)\].+ (?<logLevel>\w+) - (?<logMessage>.+)"
| table logDateTime logLevel logMessage

 

 

Hopefully that suits your needs?

Eddie

 

View solution in original post

0 Karma
Reply
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!

Get Updates on the Splunk Community!