- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write regex to extract fields at search-tim...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to write regex to extract fields at search-time?
Hi-
I have the sample logs below and I want the output to be in this format.
1st Columns = BatchJobsName
2nd Col = Date
3rd Col = Start Time
4th Col = End Time
5th Col = Results
where: The BatchJobsName column is the "emailJustifications" or the "sendBelga" in the sample logs below;
The Date is the date found in "fired at:" in the sample logs below;
The Start Time is the time found in "fired (by trigger DEFAULT.emailJustificationsSimpleTrigger) at:";
The End Time is the time found in "Job DEFAULT.emailJustificationsJobLauncher fired at:";
The Result is the "result="
SAMPLE LOGS:
2014-09-05 23:57:24,644 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.emailJustificationsJobLauncher fired at: 05/09/2014 23:59:24 result=OK
2014-09-05 23:57:24,531 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.emailJustificationsJobLauncher fired (by trigger DEFAULT.emailJustificationsSimpleTrigger) at: 23:57:19 09/05/2014
2014-09-05 23:55:00,723 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.sendBelgaJobLauncherUST fired at: 05/09/2014 23:55:00 result=ERROR
2014-09-05 23:55:00,712 INFO org.quartz.plugins.history.LoggingJobHistoryPlugin Job DEFAULT.sendBelgaLauncherUST fired (by trigger DEFAULT.sendBelgaTriggerUST) at: 21:55:00 09/05/2014
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi isaias.Garcia,
based on the provided examples, try something like this:
your base search here
| rex "(?<=DEFAULT\.)(?<BatchJobsName>.+)(?=(JobLauncher)|(Launcher))"
| rex "(?<=fired\sat\:\s\s)(?<Date>.+?)(?=\s)"
| rex "(?<=at\:\s\s)(?<StartTime>.+?)(?=\s(\d+\/){2}\d+)"
| rex "(?<=(\d{2}\/){2}\d{4}\s)(?<EndTime>.+?)(?=\s)"
each regex will provide a new field which can be used in further Splunk commands. Regarding the result=OK or result=ERROR, this field should be extracted by Splunk already because it is key value based.
As soon as the result matches your needs, setup auto field extraction based on the regex - see the docs about Add fields at search time
hope that helps ... and yes there are probably better regex, but this should get you started.
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
updated some regex...
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
