Hello. I am currently trying to do something with a list of logs that I have been given.
All of the logs have the same format:
/this/is/.../an_example_relevantInformationHere.2016-08-03.log
What I want to do is to use regex to search through the strings and to find the part that says relevantInformationHere and create a table with that as the header. Right now my rex looks like:
..|rex "an_example_(?\w+)."| table parameterName
It looks like it worked in the regex testers that I used, but I am not receiving the expected output in splunk. What am I doing wrong and is there a difference between the splunk regex and the regex on another site?
Thank you.
Try this
... | rex field=_raw "_\w+_(?<parameterName>\w+)\." | table parameterName
Assuming you are talking about the source field give this a go:
| rex field=source "(?<parameterName>[a-zA-Z]+)\.\d{4}-\d{2}-\d{2}\.\w+"
Keep in mind you can play with the following bit [a-zA-Z]+ to accept whatever symbols you might expect in your relevant information section. Also remember \w+ includes underscores.
Hope that helps
Try this
... | rex field=_raw "_\w+_(?<parameterName>\w+)\." | table parameterName
When I tried that, it ended up putting the raw string parameterName instead of the actual value it should be.
I just test this run anywhere sample and it works. Can you test this and let me know the results
| makeresults | eval x="/this/is/.../an_example_relevantInformationHere.2016-08-03.log" | rex field=x "_\w+_(?<parameterName>\w+)\." | table parameterName
That worked properly, however, will this work properly without hard coding the name?
Is the name of the file. As in the source? If it is, change the rex command to this and it should work
rex field=source "_\w+_(?<parameterName>\w+)\."