Solved: Help in Regex

vrmandadi · ‎03-24-2017

I have the field message - Method: Execute | Class: GetUsersByVinActivity
message- Method: Execute | Class: DecodeVinActivity

I want the method and class to extract as new fields from the message field

Thanks in advance

MuS · ‎03-24-2017

Hi vrmandadi,

if the events are always in the format of the example you can use this regex:

 your search here to get the events 
| rex max_match=0 field=message "Method:\s(?<Method>[^\s]+)\s\|\sClass:\s(?<Class>[^\s]+)" 
| table _time Method Class

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎03-24-2017

Hi vrmandadi,

if the events are always in the format of the example you can use this regex:

 your search here to get the events 
| rex max_match=0 field=message "Method:\s(?<Method>[^\s]+)\s\|\sClass:\s(?<Class>[^\s]+)" 
| table _time Method Class

Hope this helps ...

cheers, MuS

vrmandadi · ‎03-24-2017

Thanks a lot Mus

jrbanks6 · ‎03-24-2017

^\w+\s+.\s+\w+.\s+\w+\s+\w+.\s+\w+.\s+(?\w+\s+).\s+\w+.\s+(?\w+)

This is a "Greedy" RegEx - Regex101.com is your friend!

Help in Regex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!