Splunk Search

rex not working for log4j

pcorchary
Explorer

trying to extract COMPANY from each matched log line, given tomcat log4j lines like this:

31 Jan 2012 23:59:39,963 [com.action.ProcessPassword] (TP-Processor87) (8e48955b5d66036:24.6.170.156) DEBUG: Started executeExternalProcessPassword() for name @ COMPANY

why doesn't this rex work? (no results)

index="myIndex" rex field=_raw "executeExternalProcessPassword.* @ (?<org>.*)"

just index="myIndex" "executeExternalProcessPassword" returns 22k+ lines from just one day log span

this works perfectly:

perl -ne 'if (/executeExternalProcessPassword.*@(.+)$/) {print "$1\n"}' catalina.out
Tags (2)
0 Karma

lguinn2
Legend

The spacing appears different in the different regexes that you are showing. Maybe it's just the linebreaking or the font of your post, though. Try

index=myIndex | rex "executeExternalProcessPassword.*@(?<org>.+)$"

dwaddle
SplunkTrust
SplunkTrust

We were discussing this in #splunk IRC, and the missing pipe character before rex in the question/example turned out to be the real culprit.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...