Splunk Search

How to use REX to extract the text within brackets prior to a key word?

CAB2015
New Member

I'd like to be able to extract the text within the brackets that is prior to the text that I'll be filtering on, [Error],

(I'd like to show the top x for counts. In this case I'd only graph or show counts by Object Server, Authentication Server, LDAP Server, Network Classes)

I'm trying rex, but can only seem to pull back text after the error and not before. Here's what I'm using.

source="/home/splunk/mstr_local/log/DSSErrors.log" | lookup splunked_nodes.csv host output unix_category env  | search env=PROD ERROR | rex field=_raw "[Error] (?<error>.*)"  | top  20 error

Thanks in advance

2015-12-11 10:27:21.879-05:00 [HOST:lx-pmmstgy-p06p][PID:5211][THR:1152923968][Object Server][Error][0x80041A09] Invalid Expression.
2015-12-11 10:27:18.792-05:00 [HOST:lx-pmmstgy-p07p][PID:8414][THR:1813031232][Object Server][Error][0x80041005] Index out of range in method 'LeanCollection::ItemNS'
2015-12-11 10:27:07.439-05:00 [HOST:lx-pmmstgy-p05p][PID:18853][THR:3383707968][Object Server][Error][0x80041105] The object with the given identifier is not an object of the expected type.
2015-12-11 10:27:05.029-05:00 [HOST:lx-pmmstgy-p08p][PID:8380][THR:3240225088][Authentication Server][Error][0x80043F69] An error occurred during authentication. Please contact your administrator: LDAP Server error (19): Constraint violation.
2015-12-11 10:26:43.599-05:00 [HOST:lx-pmmstgy-p07p][PID:8414][THR:2939128128][Network Classes][Error] Closing idle connetion. socket = 511
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Your regex was only extracting text after Error because that's what you told rex to look for - "[Error]" then the field.
Assuming you always have three sets of brackets before the one you want, this regex should work for you.

(?:\[.*?\]){3}\[(?<error>.*?)\]\[Error\]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Your regex was only extracting text after Error because that's what you told rex to look for - "[Error]" then the field.
Assuming you always have three sets of brackets before the one you want, this regex should work for you.

(?:\[.*?\]){3}\[(?<error>.*?)\]\[Error\]
---
If this reply helps you, Karma would be appreciated.

CAB2015
New Member

Thanks so much! This worked great.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...