Splunk Search

Regex for extraction between text and second comma

Bliide
Path Finder

I am working on a field extraction. I have created an extraction that pulls the field I want but I need it to pull even further. I currently have it pulling data between the text I identify and the first comma. I need it to pull from the text to the second comma. Example of a log file is this:

6/25/2014 15:05:12.724 | 18072 | EXCEPTION(V): PARN476_02HLOALP_RD:TF F RgstrData(0)(0): RegNum: 5.100.1, size of 0 bytes is invalid (-2147483638), RegisterMsg.cpp line 263 (class CRegisterFromDeviceMsg). Handled: RegisterMsg.cpp(class CRegisterFromDeviceMsg) line 269 |

My current REGEX looks like this:

(?i) regnum:(?P{FIELDNAME}[^,]+)

I need to either change the regex to get everything up to the second comma or change it to find everything between RegNum: and RegisterMsg.cpp

Please advise

Tags (2)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Give this a try. (replaces your whole regex)

(?i) RegNum:\s(?P<FIELDNAME>.*)(,\s*\w+\.\w+) line

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Give this a try. (replaces your whole regex)

(?i) RegNum:\s(?P<FIELDNAME>.*)(,\s*\w+\.\w+) line

somesoni2
SplunkTrust
SplunkTrust

Its the literal string 'line' in your logs (from 'line 263'). If all your logs are similar, this word should remain same, hence I included it in regex.

0 Karma

Bliide
Path Finder

Works great. What is "line" for?

0 Karma

bluger_splunk
Splunk Employee
Splunk Employee

Hi Bliide --

If I understand you correctly, please correct me if I'm wrong, you would like capture the following from the above log?:

RegNum: 5.100.1, size of 0 bytes is invalid (-2147483638)

And not the entire RegNum field, correct?

RegNum: 5.100.1, size of 0 bytes is invalid (-2147483638), RegisterMsg.cpp line 263 (class CRegisterFromDeviceMsg).

For the former, you can capture it in many different ways but it would be based on the assumption that there will always be a second perior within that field. If there isn't, the regex would likely fail. If you can rely on there always being 2 periods within that field you may be able to use the following regex to capture that data.

(?<field_name>RegNum\:.*\b\,.*)(?=\,)

However, if you'd rather capture the entire field value you could use the following:

(?<=RegNum\:\s{1})(?<regnum>.*)(?=Handled\:)

Hope this helps!

Kind Regards,

~Brian

Bliide
Path Finder

I am attempting to create a field extraction that will pull the data between the RegNum: and RegisterMsg.cpp

So in the example log it would pull:

5.100.1, size of 0 bytes is invalid (-2147483638)

When I try to use your suggested REGEX, splunk gives me an "Invalid regex: syntex error". I am sure it is something I am typing incorrectly. The commas are a constant in the log. That is why I was attempting to use the second comma as the end point for the extraction. Where in my field extraction do I plug in your suggested regex?

(?i) regnum:(?P{FIELDNAME}[^,]+)

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...