How to write the regex to extract multiple values ...

visa87 · ‎01-28-2015

I have a log file containing information logged in the below format:

Response Received from ABC service for Submit
The following response has been received from XYZ for Submit

and so on.

I am interested in the values ABC , XYZ etc . SO I want to extract these values to a single field say Field1.

How can I do this?

chanfoli · ‎01-28-2015

The approach I think is cleanest (at least to my eyes) is to write these as separate extractions then merge them in your search. This trick is borrowed from lguinn's excellent answer to a related question here

 yoursearchhere |
eval output = field1 + ";" + field2 |
makemv delim=";" output |
mvexpand output

Just make sure that your fields won't contain semicolons, if so, pick a different delim.

aholzer · ‎01-28-2015

Are those two separate events or one event that you are extracting the ABC and XYZ from?

If it's two separate events, you can easily use an "or" in your regex to look for two different patterns. Try this:

<base search> | rex "(Response Received from|has been received from) (?P<my_field>[^\s]+)( service)? for Submit$"

This basically looks for either "Response Received from" or "has been received from" before capturing your field, and looks for "for Submit" after the capture. Note that the "$" anchors the "for Submit" to the end of the event, you may want to skip that if the above were shortened examples of your events.

Technically because your two events are so similar it would be simpler to do a simpler rex:

<base search> | rex "(?P<my_field>[^\s]+)( service)? for Submit$"

Because in both your cases, the value is followed by "for Submit" or "service for Submit" it really doesn't matter what comes before it.

Hope this helps

How to write the regex to extract multiple values into a single field?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk