Solved: How to edit my regular expression to extract these...

anoopambli · ‎08-08-2016

Looking for some help with rex. The raw data looks like this,

value= Name : SiteScope.exe MemGB : 6568 Name : powershell_ise.exe MemGB : 153 Name : WmiPrvSE.exe MemGB : 146 Name : powershell_ise.exe MemGB : 143 Name : powershell.exe MemGB : 98 17496 Mon Aug 08 15:30:38 2016 stopping 17496 end perfex 31:19    0   3583    3583    Name : SiteScope.exe MemGB : 6568 Name : powershell_ise.exe MemGB : 153 Name : WmiPrvSE.exe MemGB : 146 Name : powershell_ise.exe MemGB : 143 Name : powershell.exe MemGB : 98 17496 Mon Aug 08 15:30:38 2016 stopping 17496 end perfex

I tried Name\s:\s+(?\w+.exe\s\w+\s+:\s\d+) regex which works fine in regex tested, but Splunk is not extracting the fields. I want to use max_match=0 so that it picks all the process name and memory usage. If the rex works fine, it should show result like below,

SiteScope.exe MemGB : 6568
powershell.exe MemGB : 98
WmiPrvSE.exe MemGB : 146

somesoni2 · ‎08-08-2016

Give this a try

your base search | rex max_match=0 "Name\s+:\s+(?<Process>\S+)\s+MemGB\s+:\s+(?<MemGB>\d+)" | table Process MemGB

View solution in original post

somesoni2 · ‎08-08-2016

Give this a try

your base search | rex max_match=0 "Name\s+:\s+(?<Process>\S+)\s+MemGB\s+:\s+(?<MemGB>\d+)" | table Process MemGB

anoopambli · ‎08-08-2016

That worked. Thank you very much.

richgalloway · ‎08-08-2016

What does your query look like?

---
If this reply helps you, Karma would be appreciated.

sloshburch · ‎08-11-2016

It seems the thing you tried didn't have a name to assign the capture group to. Notice in the correct answer (below) that there's a <Process> and <MemGB> after the capture group starts.

How to edit my regular expression to extract these fields from my sample data using rex?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life