Hi ,
Actually i have two events in the output like this...
......
...
......
......
....
......
......
......
.....
event 2 :
........
...........
.......
.........
....
....
.
..
Now my question i need to create a field extraction for Message . in which i am interested only for UserMessage and SystemMessage ..So I have created two rex expressions like this...
rex field=_raw "<.?System.?\s+<.?Search_Message>(?
rex field=_raw "<.?UI.?\s+<.?Search_Message>(?
and my query is something like this ..
sourcetype="A" |rex field=_raw "<.?System.?\s+<.?Search_Message>(?
This Query is working fine..But its taking too long time...so my question can i create two rex expressions like wat i created jus above using the field extractions in splunk ?? and can i make this query run faster ..plz help
Try this
sourcetype=A "User Message" OR "System Message"
| rex field=_raw "\<message\>(?P<Search_Message>.*?)\</message\>"
| where Search_Message="User Message" or Search_Message="System Message"
| table Search_Message
Or if you only want User Messages, then this
sourcetype=A "User Message"
| rex field=_raw "\<message\>(?P<Search_Message>.*?)\</message\>"
| where Search_Message="User Message"
| table Search_Message
This should be faster, because you are first selecting only events that have the string "User Message" or "System Message" in them. This should eliminate many unneeded events before Splunk even starts the field extraction. Also, I think your field extraction is more complicated than it needs to be.
The formatting of your question makes it difficult to read. Can you edit the question and change the rex command and the query to "code format"? I can't tell if you meant some of the special characters to be part of your query or if you intended to format the question...