Splunk Search

Regex to extract two strings from log and make as field

pingdpk
Engager

Log - (given 2 lines for example)

2017/02/21 03:46:12.119-0800 [http-bio-8480-exec-3] C3AF4B3F9C2E40D2006D1513C81191A6.pppxwbtect014 INFO  c.e.c.w.b.r.ShirtsSaleResource -  #xHoster#  #**res_ShirtServiceTosite**#  ShirtsSaleResource.getLossier  , URI ->  /{1856659}  , Time taken to get JSON -> **58** milliseconds

2017/02/21 03:46:08.489-0800 [http-bio-8480-exec-2] 82F757837394C2E950AEB9A47043DD61.pppxwbtect010 INFO  c.e.c.p.m.i.CmppRestClientImpl -  #xHoster#  #**res_CmppToShirtService**#  CmppRestClientImpl.prepareChange  , URI -> http://ppp-Shirteu.ch.expeso.com:52008/order/PrepareChange , Time taken to get XML response ->  **178** milliseconds

Expected output :

Field1                            Field2
res_ShirtServiceToSite            58
res_CmppToShirtService            178

I tried :

index=app source=/var/log* "#xHoster#" | rex field=_raw res_(?.*)# | rex field=_raw .\-\>\s(?.*)\smilliseconds |table ptype,ptime
0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@pingdpk - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!

0 Karma

zanb
Path Finder

Here's my RegEx:

(?P<ptype>res_\w+).*\*\*(?P<ptime>\d+)
0 Karma

nikhilb0763
Engager

How about this:

rex field=_raw "(?res_[^*]+)" | rex field=_raw "\*(?\d+)"
0 Karma

rjthibod
Champion

How about this

index=app source=/var/log* "#xHoster#" 
| rex field=_raw  "#(?<ptype>res_[^#]+)#.+\-\>\s*(?<ptime>\d+)\s*milliseconds" 
| table ptype ptime
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

I came up with \*\*(?<ptype>res_[^\*]+)\*\*.*?\*\*(?<ptime>\d+)\*\*

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...