Solved: Help required on regex

rangarbus · ‎05-25-2021

Hello Friends,

I am looking for your help for a rex expression.

message = [2021-05-26 00:00:33,477] {taskinstance.py:669} INFO - Dependencies all met for <TaskInstance: example_dag_oidc.test_bash 2021-05-25 00:00:00+00:00 [None]>

I would like to split this message field as below fields:

logDateTime = 2021-05-26 00:00:33,477
logLevel = INFO
logMessage = Dependencies all met for <TaskInstance: example_dag_oidc.test_bash 2021-05-25 00:00:00+00:00 [None]>

Thanks

eddieddieddie · ‎05-25-2021

Try the following regex with the rex command:

"\[(?<logDateTime>[\d, :,-]+)\].+ (?<logLevel>\w+) - (?<logMessage>.+)"

In Splunk SPL it would look like this (assuming that the raw data is in a field called 'message'):

| rex field=message "\[(?<logDateTime>[\d, :,-]+)\].+ (?<logLevel>\w+) - (?<logMessage>.+)"
| table logDateTime logLevel logMessage

Hopefully that suits your needs?

Eddie

View solution in original post

eddieddieddie · ‎05-25-2021

Try the following regex with the rex command:

"\[(?<logDateTime>[\d, :,-]+)\].+ (?<logLevel>\w+) - (?<logMessage>.+)"

In Splunk SPL it would look like this (assuming that the raw data is in a field called 'message'):

| rex field=message "\[(?<logDateTime>[\d, :,-]+)\].+ (?<logLevel>\w+) - (?<logMessage>.+)"
| table logDateTime logLevel logMessage

Hopefully that suits your needs?

Eddie

Help required on regex

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

Help required on regex

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I