- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Context based regex field extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to extract few fields out of logs but Splunk field extraction is not working in my case.
For example:
2015-06-17 13:48:55,689 abc-field [SystemEvent] Time:'June 17, 2015 8:48:55 PM GMT',Severity:'Critical', Event Source:'domain-c0', Code:'301503', Event Message:'Failed to publish abcd configuration version 1408159473758 to cluster domain-c0. Refer logs for details', Module:'abcd something'
2015-06-17 13:48:55,620 abc-xyz-something June 17, 2015 8:48:55 PM GMT INFO SimpleAsyncTaskExecutor-1 SystemEventDaoImpl:124 - [SystemEvent] Time:'June 17, 2015 8:48:55 PM GMT',Severity:'Informational', Event Source:'edge-0', Code:'30101', Event Message:'abcd was booted', Module:'abcd something Appliance'
In above two log snippets I am trying to extract value of the field "Severity".
But since the position of field "Severity" in both the logs are different Splunk returns the field such as:
1. Critical
2. June
Probably it is because Splunk does regex parsing based on position.
I want to extract the fields based on pre-context and post-context.
For example:
Pre-context: "Severity:'"
Required value
Post-context: "', Event"
I am completely stuck here. Please help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming these are the only 2 variants, try this:
... | rex "^.*?Severity\s*:\s*'?(?<Severity>[^'\s]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming these are the only 2 variants, try this:
... | rex "^.*?Severity\s*:\s*'?(?<Severity>[^'\s]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for your answer !
Now it will take me another day to understand this 😛
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any Splunk regex tutorial which I can follow ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I learned by doing but that's just the way I am. So although I cannot help you much there, I can suggest some tools. My favorite is Expresso which is free. I use this almost every day. It does a good job of "translating" the RegEx to english on the right side so that when somebody gives you a solution (like I did), it will show you bit-by-bit which each part of the RegEx is doing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is exactly what I wanted thank you very much!
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
