Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write the regex to extract and list values occurring after a constant string?

pavanae
Builder
‎10-06-2015 11:37 AM

The following were my search results:

processor.ProcSavePriceInfoObjects.writeProperties(ProcSavePriceInfoObjects.java:1424)
processor.ProcSavePriceInfoObjects.saveSubtotalPriceInfos(ProcSavePriceInfoObjects.java:1180)
processor.ProcSavePriceInfoObjects.saveShippingItemsSubtotalPriceInfos(ProcSavePriceInfoObjects.java:1076)
processor.ProcSavePriceInfoObjects.savePriceInfo(ProcSavePriceInfoObjects.java:1052)
processor.ProcSavePriceInfoObjects.saveOrderPriceInfo(ProcSavePriceInfoObjects.java:807)
processor.ProcSavePriceInfoObjects.runProcess(ProcSavePriceInfoObjects.java:716)

Now I want list out only the results occurring after the "processor.proc"

How to write a regex in Splunk as needed?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PGrantham
Path Finder
‎10-06-2015 12:33 PM

Something like:

index=<your index> | rex field=_raw "processor.Proc(?<new_field>[^\s]+)" | stats values(new_field)

This will create a new field called "new_field" and add everything after the "processor.Proc" up until the next space. If what you're showing is a single, multilined event, then you would need to add max_match=0 to the rex command and change the "\s" to a "\n". So it would look liked:

 index=<your index> | rex max_match=0 field=_raw "processor.Proc(?<new_field>[^\n]+)" | stats values(new_field)

Hope that helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

PGrantham
Path Finder
‎10-06-2015 12:33 PM

Something like:

index=<your index> | rex field=_raw "processor.Proc(?<new_field>[^\s]+)" | stats values(new_field)

This will create a new field called "new_field" and add everything after the "processor.Proc" up until the next space. If what you're showing is a single, multilined event, then you would need to add max_match=0 to the rex command and change the "\s" to a "\n". So it would look liked:

 index=<your index> | rex max_match=0 field=_raw "processor.Proc(?<new_field>[^\n]+)" | stats values(new_field)

Hope that helps.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2015 12:23 PM

Are we looking at a single field or the entire event?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...