Solved: Need help on rex

rishiaggarwal · ‎02-14-2016

Hi Team,

Need help to extract fields for the following. Please help rex for the below.

    'ConnID'    '007202761fdb2c01'
    'VirtualQueue'  'ABC_EFG_BJFNKJFN'

esix_splunk · ‎02-14-2016

If these are single line events:

\'ConnID\'\s+\'(?<ConnID>[^\']+)'

And

\'VirtualQueue\'\s+\'(?<VirtualQueue>[^\']+)'

Multiline events are a bit different. You need to make sure that the events are process properly as multiline, then you can do something like..

  (?m) \'ConnID\'\s+\'(?<ConnID>[^\']+)'\n\'VirtualQueue\'\s+\'(?<VirtualQueue>[^']+)'

esix_splunk · ‎02-14-2016

If these are single line events:

\'ConnID\'\s+\'(?<ConnID>[^\']+)'

And

\'VirtualQueue\'\s+\'(?<VirtualQueue>[^\']+)'

Multiline events are a bit different. You need to make sure that the events are process properly as multiline, then you can do something like..

  (?m) \'ConnID\'\s+\'(?<ConnID>[^\']+)'\n\'VirtualQueue\'\s+\'(?<VirtualQueue>[^']+)'

Amohlmann · ‎02-14-2016

Is that the full event? Which part are you trying to extract? What are the names of the fields here?

renjith_nair · ‎02-14-2016

@rishiaggarwal , Is that the full event ? Also please clarify what you want to extract

Happy Splunking!

Need help on rex