Solved: Why am I getting "Argument 'value' contains invali...

zharkov83 · ‎02-04-2016

I'm trying to extract a log level field from my file using regex. I've tried different searches, including automatically generated by the system, but always have the same error:

In handler 'props-extract': Argument 'value' contains invalid character : ^(?:[^\]\n]*\]){2}\[\[\d+;\d+m(?<Level>\w+)\[\d+;\d+\w+\s+\]

Log line looks like this:

[2016-02-04 03:48:04,989][MNG  ][[1;31mERROR[1;0m   ][Service Manager] No camera settings in Set_CV_Camera_Settings event

When I use Search page and generate request - it's Ok:

index=* OR index=_* sourcetype=cv_manager_supervisor | rex field=_raw "(?ms)^(?:[^\\]\\n]*\\]){2}\\[\\[\\d+;\\d+m(?<Level>\\w+)\\[\\d+;\\d+\\w+\\s+\\]" offset_field=_extracted_fields_bounds | search Level=ERROR | rex field=_raw "^[^\\]\\n]*\\]\\[(?P<ProcessName>[^\\]]+)" offset_field=_extracted_fields_bounds0

Result on Search page:

[2016-02-04 03:48:06,353][MNG  ][[1;31mERROR[1;0m   ][Service Manager] No camera settings in Set_CV_Camera_Settings event
Level = ERROR ProcessName = MNG sourcetype = cv_manager_supervisor

Splunk version = 6.3.2

Please help....

somesoni2 · ‎02-04-2016

Try this as your field extraction regex

^(?:[^;]+);(\d+)m(?P<Log_Level>\w+)

View solution in original post

somesoni2 · ‎02-04-2016

Try this as your field extraction regex

^(?:[^;]+);(\d+)m(?P<Log_Level>\w+)

zharkov83 · ‎02-04-2016

Great! Thank you very much! It's work for my case very well! )
But i still do not understand why my regexp don't work 😞

Why am I getting "Argument 'value' contains invalid character" trying to extract a log level field with my regular expression?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life