trying to extract COMPANY from each matched log line, given tomcat log4j lines like this:
31 Jan 2012 23:59:39,963 [com.action.ProcessPassword] (TP-Processor87) (8e48955b5d66036:24.6.170.156) DEBUG: Started executeExternalProcessPassword() for name @ COMPANY
why doesn't this rex work? (no results)
index="myIndex" rex field=_raw "executeExternalProcessPassword.* @ (?<org>.*)"
just index="myIndex" "executeExternalProcessPassword"
returns 22k+ lines from just one day log span
this works perfectly:
perl -ne 'if (/executeExternalProcessPassword.*@(.+)$/) {print "$1\n"}' catalina.out
The spacing appears different in the different regexes that you are showing. Maybe it's just the linebreaking or the font of your post, though. Try
index=myIndex | rex "executeExternalProcessPassword.*@(?<org>.+)$"
We were discussing this in #splunk
IRC, and the missing pipe character before rex
in the question/example turned out to be the real culprit.