Solved: Regex Help

alan20854 · ‎07-13-2016

Hello,

I am trying to create a table on my dashboard with the time stamp and the buildID. However, I am having regex trouble with my search.

Here is the search without the field extraction: host= x source= x "PDD_BUILDID". These events contain the buildID in a format such as [BUILDID=APP-2016.8-20160712194753]

This is my current search:

host= x source= x  "PDD_BUILDID"|rex field=_raw "BUILDID=(?P<build>\w*\d*\w*\d*\w*\d*)\x5D" | table build

I would like my table to contain the time and buildIDs such as APP-2016.8-20160712194753.

What am I doing wrong?

sundareshr · ‎07-13-2016

Try this

 host= x source= x  "PDD_BUILDID"|rex field=_raw "BUILDID=(?P<build>[^\]]+)" | table build

View solution in original post

somesoni2 · ‎07-13-2016

Try like this

 host= x source= x  "PDD_BUILDID"|rex field=_raw "BUILDID=(?P<build>[^-]+-[^-]+)-(?<time>\d+)" | table build time | rex mode=sed field=time "s/(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})/\1-\2-\3- \4:\5:\6/g"

sundareshr · ‎07-13-2016

Try this

 host= x source= x  "PDD_BUILDID"|rex field=_raw "BUILDID=(?P<build>[^\]]+)" | table build

Regex Help

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms