Hi,
here is a run everywhere example, just copy and paste it in your splunk search bar. Is this what you want?
| stats count | eval line="2014-11-14 12:52:59:[ INFO]:- batman.java1 length of 25 error :0:" | rex field=line max_match=0 "(?<test1>[a-zA-Z]+)" | mvcombine test1
Is the goal here to match terms that have a minimum of one alpha character?
What about something like (\w*[A-Za-z]+\w*)
Hi,
here is a run everywhere example, just copy and paste it in your splunk search bar. Is this what you want?
| stats count | eval line="2014-11-14 12:52:59:[ INFO]:- batman.java1 length of 25 error :0:" | rex field=line max_match=0 "(?<test1>[a-zA-Z]+)" | mvcombine test1
Thanks. What is the mvcombine doing?
The rex command extracts multiple words from the string and puts them into the field test1. Because there are multiple values, the field then is a so called multi value field. Mvcombine transforms mvfields to normal fields.
Sure,
2014-11-14 12:52:59:[ INFO]:- batman.java1 length of 25 error :0:
For above scrape 45, 25 and 1 from the field result and have it look like this
"batman.java length of error"
The query needs to be a catch all for multiple log types like Cisco juniper and Unix
Just post a few single events from a few different types, and specify what you're trying to extract. Otherwise this question is pretty much impossible to answer with any confidence.
Can you provide some example events and what you want to extract from them?
Can you give an example of the data you're matching against ?