Splunk Search

REGEX Extraction for btool.log

hartfoml
Motivator

I have these btool logs:

10-29-2013 09:15:34.551 INFO AdminManager - added factory for admin handler: 'licenses'
10-29-2013 09:15:34.551 DEBUG AdminManager - Found path '/opt/splunk/etc/apps/search/bin' for handler 'sendemail'.
29-2013 09:15:34.551 DEBUG HTTPRestDispatcher - loadConfig for masterlm _isProServer=1

When I do the automated extraction if looks like this:

(?i) DEBUG (?P<FIELDNAME>[^ ]+)

This does not find the valus followed by INFO. How could I right this so it is not dependent on the word "DEBUG"

Tags (1)
0 Karma
1 Solution

gfuente
Motivator

Hello

try this:

(?i) (DEBUG|INFO) (?P<FIELDNAME>[^ ]+)

And add with pipes any other severity values you would like to capture

regards

View solution in original post

gfuente
Motivator

Hello

try this:

(?i) (DEBUG|INFO) (?P<FIELDNAME>[^ ]+)

And add with pipes any other severity values you would like to capture

regards

hartfoml
Motivator

Thanks again for the help.

I should have put in the things I tried at the beginning.

I tried (?i) \w+ (?P<fieldname>[^ ]+)
and this (?i) \w+\s (?P<fieldname>[^ ]+)
and this (?i)\w+\s(?P<fieldname>[^ ]+)\s\-\s

0 Karma

gfuente
Motivator

then use this:

(?i) \w+ (?P<FIELDNAME>[^ ]+)

There is a "\" before the w+

0 Karma

hartfoml
Motivator

Right Thanks, I did think of doing this but what if there is a WARN or ERROR. I didn't want to put (DEBUG|ERROR|WARN|INFO) I was hoping for a more elegant way to right it.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...