- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to write regex to extract my fields at search-...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to write regex to extract my fields at search-time?
Hi,
I have these entries in the log. I am trying to extract fields
FINISHED and ERROR_RUNNING for this.
But I am able to get only one field FINISHED.
I tried extracting fields using the interactive field extractor from GUI, but was not able to solve the issue. I even tried this:
rex field=_raw " finished with status:(?<jobstatus>.*)"
Can someone help? Below is an example of my log entries.
finished with status:FINISHED
finished with status:ERROR_RUNNING
UPDATE:
Here is full log entries; I tried without leading space..still had issue:
Job with id: VolckerVega|FX_MASTER_StepUp|VOLCKER_TF_Y_FX_MASTER_StepUp_CancellableSwap_1|SABR_GRID_ALPHA finished with status:FINISHED
Job with id: VolckerVega|MASTER|VOLCKER_TF_Y_MASTER_Swap_1|MO_CF_QTR_HDG finished with status:ERROR_RUNNING
At least one job has failed. Will not exit with system code = 0
Job with id: VolckerVega|MASTER_FPA|VOLCKER_TF_Y_MASTER_FPA_FPA_1|Volcker_FPA_Vega finished with status:ERROR_RUNNING
At least one job has failed. Will not exit with system code = 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, if it is all in one event, you should be able to use a multivalued field (see the docs on rex) and use/retrieve the individual values with the mvindex() function for eval.
Best of luck.
/k
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I made this work with transforms and props.conf.
sorry for the bad question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am very sorry. This is 1 event. what is better way to extract multiple fields from 1 event with multiple lines?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to fetch everything between the colon and the end of line you could try:
| rex field _raw "^.*:(?<jobstatus>.*?)$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I put your sample data and your rex string into RegExr and got both jobstatus values back. Perhaps kristian.kolb is correct and your log entries are not being handled as separate events.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sure that these are separate events? If not, perhaps you need to add the max_match parameter to rex to create a multivalued field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have a leading space as part of your rex statement, could that be the culprit.
I think you should perhaps post a few full events, not just the the partial events.
/k
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
