- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Formatting Log Name with Regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello. I am currently trying to do something with a list of logs that I have been given.
All of the logs have the same format:
/this/is/.../an_example_relevantInformationHere.2016-08-03.log
What I want to do is to use regex to search through the strings and to find the part that says relevantInformationHere and create a table with that as the header. Right now my rex looks like:
..|rex "an_example_(?\w+)."| table parameterName
It looks like it worked in the regex testers that I used, but I am not receiving the expected output in splunk. What am I doing wrong and is there a difference between the splunk regex and the regex on another site?
Thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
... | rex field=_raw "_\w+_(?<parameterName>\w+)\." | table parameterName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you are talking about the source field give this a go:
| rex field=source "(?<parameterName>[a-zA-Z]+)\.\d{4}-\d{2}-\d{2}\.\w+"
Keep in mind you can play with the following bit [a-zA-Z]+ to accept whatever symbols you might expect in your relevant information section. Also remember \w+ includes underscores.
Hope that helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
... | rex field=_raw "_\w+_(?<parameterName>\w+)\." | table parameterName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I tried that, it ended up putting the raw string parameterName instead of the actual value it should be.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just test this run anywhere sample and it works. Can you test this and let me know the results
| makeresults | eval x="/this/is/.../an_example_relevantInformationHere.2016-08-03.log" | rex field=x "_\w+_(?<parameterName>\w+)\." | table parameterName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked properly, however, will this work properly without hard coding the name?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is the name of the file. As in the source? If it is, change the rex command to this and it should work
rex field=source "_\w+_(?<parameterName>\w+)\."
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
