Extracting field with a guid as an end anchor

Cuyose · ‎03-13-2015

For some reason I have not been able to get a field extraction to work where the end anchor will be a GUID. Basically the events are as follows

Exception=This is the exception - wrong thing here. - 32c18521-1313-41e6-8ff6-1e1fb986a321

What would the field extraction for this look like?

This isn't even working for me
(?i)Exception=(?P[^[0-9a-f]{8}]+)

richgalloway · ‎03-13-2015

This works on regex101 using your sample data.

Exception=(?P<exception>.*)(?P<GUID>.{8}-.{4}-.{4}-.{4}-.{12})

---
If this reply helps you, Karma would be appreciated.

somesoni2 · ‎03-13-2015

Give this a try

(?i)Exception=(?P<Exception>.*)(\s*-+\s*)\w{8}-\w{4}-\w{4}-\w{4}-\w{12}$

Cuyose · ‎03-13-2015

This has worked! Thanks. Odd though, When I was changing the field extraction in the manager, then rerunning the query, I was not noticing the extraction. Only when I edited the existing search then ran did it get the correct extractions. Re-pasting the original then also got the extractions.

richgalloway · ‎03-13-2015

What exactly do you want extracted from your sample event?

---
If this reply helps you, Karma would be appreciated.

Cuyose · ‎03-13-2015

This is what I am attempting to extract
This is the exception - wrong thing here.

richgalloway · ‎03-13-2015

Does the exception always end with '.'? We can't stop at an 8-character word or we risk losing part of the exception text.

---
If this reply helps you, Karma would be appreciated.

Cuyose · ‎03-13-2015

No it does not always end with a . I want to set the logic to:
Capture everything between Exception= and a GUID, which will always be 8-4-4-4-12 alphanumeric characters.

I know this is totally doable, but I am not able to get splunks version of regex to work.

Extracting field with a guid as an end anchor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life