Splunk Search

Formatting Log Name with Regex

JibBgh
New Member

Hello. I am currently trying to do something with a list of logs that I have been given.

All of the logs have the same format:

/this/is/.../an_example_relevantInformationHere.2016-08-03.log

What I want to do is to use regex to search through the strings and to find the part that says relevantInformationHere and create a table with that as the header. Right now my rex looks like:

..|rex "an_example_(?\w+)."| table parameterName

It looks like it worked in the regex testers that I used, but I am not receiving the expected output in splunk. What am I doing wrong and is there a difference between the splunk regex and the regex on another site?

Thank you.

0 Karma
1 Solution

sundareshr
Legend

Try this

... | rex field=_raw "_\w+_(?<parameterName>\w+)\." | table parameterName

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

Assuming you are talking about the source field give this a go:

| rex field=source "(?<parameterName>[a-zA-Z]+)\.\d{4}-\d{2}-\d{2}\.\w+"

Keep in mind you can play with the following bit [a-zA-Z]+ to accept whatever symbols you might expect in your relevant information section. Also remember \w+ includes underscores.

Hope that helps

0 Karma

sundareshr
Legend

Try this

... | rex field=_raw "_\w+_(?<parameterName>\w+)\." | table parameterName
0 Karma

JibBgh
New Member

When I tried that, it ended up putting the raw string parameterName instead of the actual value it should be.

0 Karma

sundareshr
Legend

I just test this run anywhere sample and it works. Can you test this and let me know the results

| makeresults | eval x="/this/is/.../an_example_relevantInformationHere.2016-08-03.log" | rex field=x "_\w+_(?<parameterName>\w+)\." | table parameterName
0 Karma

JibBgh
New Member

That worked properly, however, will this work properly without hard coding the name?

0 Karma

sundareshr
Legend

Is the name of the file. As in the source? If it is, change the rex command to this and it should work

rex field=source "_\w+_(?<parameterName>\w+)\." 
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...