Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit the regular expression in my search to extract a field?

KrutikaDe
New Member
‎06-28-2017 01:03 PM

Hi,

I am trying to extract error message and error code from logs in Splunk.

I can see 2 patterns of these-
pattern 1 --> error code ASDAGWS_SEARCH_EMPTY_RESULTS error message Sorry, we can't find anything that matches your search for crumbly lancashire

the regex for ths is--> error\scode\s(?.*)\serror\smessage\s(?.*)

pattern 2 --> errorcode=ASDAGWS_InvalidPageNumberOrSize&errormsg=Incorrect page number or size&RO=null
the regex for ths is-->errorcode\=(?.*)_Error\&errormsg=(?.*)

I want to extract pattern 1 first if the first pattern does not exist in the event, 2nd pattern will exist for sure, and I want to extract that.

The regex I have written is as follow--but this is not working

| rex field=_raw "(error\scode\s(?.*)\serror\smessage\s(?.*) OR errorcode\=(?.*)_Error\&errormsg=(?.*)

can someone let me know how can I proceed with that.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-29-2017 05:57 PM

Try these:

| rex max_match=0 "error\scode\s(?<capture1a>.*)\serror\smessage\s(?<capture1b>.*)(?:$|[\r\n]+)"
| rex max_match=0 "errorcode=(?<capture2a>.*)&errormsg=(?<capture2b>.*)(?:$|[\r\n]+)"
| rex max_match=0 "error\s*code(?:\s|=)(?<capture1>.*)(?:\serror\smessage\s|&errormsg=)(?<capture2>.*)(?:$|[\r\n]+)"
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2017 02:25 PM

In my experience, Splunk regex generator doesn't handle complex patterns well. This worked with your sample data and should be a good starting point.

... | rex "error\s?code(?:\s|=)(?.)(?:\serror\smessage\s|_Error\&errormsg=)(?.)" | ...

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

niketn
Legend
‎06-28-2017 01:33 PM

@KrutikaDe, I would suggest to let Splunk generate Regular Expression through Interactive Field Extraction. Following step by Step process from the the documentation (this would be better than rex command since Fields will persist as Knowledge Objects which can be easily maintained and reused. http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX

Start off with the following search query (add index, sourcetype and other metadata fields to your base search)

<Your Base Search > "error code" OR "errorcode="

Then, you can choose Extract new fields option from Search Sidebar and follow remaining steps.
Alternatively you can create Two Separate Fields for Error Code based on their respective pattern and then coalesce the fields using eval to get error code which is available.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...