Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

RegEx for variable message field extraction

johnebgood
Path Finder
‎10-26-2012 11:25 AM

Hello, I have logs coming in that look like the following:

(Tab between columns)

server1.something.com ApacheLog 0 10.0.0.1

server2.something.com ApacheLog 0 10.0.0.2

server3.something.com GenericLog 0 0 0 0

server4.something.com GenericLog 0 0 0 0

Using the IPs to have splunk generate a pattern results in this regex:

(?i)^(?:[^\t]*\t){3}(?P<FIELDNAME>[^ ]+)

The IP will be in the same place every time ApacheLog is present... so basically I want my RegEx to be something like the following which doesn't work:

^*\t*ApacheLog*\t*\t(?P<FIELDNAME>[^ ]+)

Any assistance would be appreciated.

Thanks,
John

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎10-26-2012 11:31 AM

Hi John,

Try the following regex:

\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})

You can test that by using the rex command on your events and seeing if the field contains what you expect. For example:

|rex field=_raw "\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})"

View solution in original post

Reply
Solved! Jump to solution
Solution

Rob
Splunk Employee
Splunk Employee
‎10-26-2012 11:31 AM

Hi John,

Try the following regex:

\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})

You can test that by using the rex command on your events and seeing if the field contains what you expect. For example:

|rex field=_raw "\s+ApacheLog\s+\d\s+(?<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})"
Reply
Solved! Jump to solution

johnebgood
Path Finder
‎10-26-2012 01:38 PM

Perfect, thanks!

0 Karma
Reply
Solved! Jump to solution

Rob
Splunk Employee
Splunk Employee
‎10-26-2012 12:19 PM

Using the interactive field extractor, the syntax its looking for will be slightly different. Try the following there:

.*\s+ApacheLog\s+\d\s+(?P<MyFieldName>(?:\d{1,3}\.){3}\d{1,3})
Reply
Solved! Jump to solution

johnebgood
Path Finder
‎10-26-2012 11:56 AM

This works in the search field however when I attempt to edit the pattern in "Extract Fields" I get a "Invalid regex: syntax error". Any thoughts there?

Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...