Solved: regex extraction

indeed_2000 · ‎06-29-2021

Hi

from this log:

23:52:52.758 alex appinfo: Terminating due to signal: 1

How can I extract these item with rex:

user=alex

appname=appinfo

signal=1

Thanks,

kamlesh_vaghela · ‎06-29-2021

@indeed_2000

Can you please try this?

YOUR_SEARCH| rex field=_raw "[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,3}.[0-9]{1,3}\s(?<user>\w+)\s(?<appname>\w+).*signal\:\s(?<signal>.*)"

My Sample Search :

| makeresults |eval _raw="23:52:52.758 alex appinfo: Terminating due to signal: 1" | rex field=_raw "[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,3}.[0-9]{1,3}\s(?<user>\w+)\s(?<appname>\w+).*signal\:\s(?<signal>.*)"

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

ITWhisperer · ‎06-29-2021

| rex "\S+\s(?<user>\S+)\s(?<appname>\S+):\s.*?signal:\s(?<signal>\d+)"

kamlesh_vaghela · ‎06-29-2021

@indeed_2000

Can you please try this?

YOUR_SEARCH| rex field=_raw "[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,3}.[0-9]{1,3}\s(?<user>\w+)\s(?<appname>\w+).*signal\:\s(?<signal>.*)"

My Sample Search :

| makeresults |eval _raw="23:52:52.758 alex appinfo: Terminating due to signal: 1" | rex field=_raw "[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,3}.[0-9]{1,3}\s(?<user>\w+)\s(?<appname>\w+).*signal\:\s(?<signal>.*)"

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

indeed_2000 · ‎06-29-2021

it work separately but not work all in same time

Worked

rex field=_raw "[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,3}.[0-9]{1,3}\s(?<user>\w+)
rex field=_raw "[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,3}.[0-9]{1,3}\s(?<appname>\w+)
rex field=_raw "[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,3}.[0-9]{1,3} .*signal\:\s(?<signal>.*)"

Not worked

| rex field=_raw "[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,3}.[0-9]{1,3}\s(?<user>\w+)\s(?<appname>\w+).*signal\:\s(?<signal>.*)"

any idea?

Thanks

kamlesh_vaghela · ‎06-29-2021

@indeed_2000

It's working for me on your given sample data. Can you please share those sample events which are not extracting?

regex extraction

field extraction

fields

regex

rex

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

regex extraction

field extraction

fields

regex

rex

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits