How to use rex to extract the values?

ewise1 · ‎05-25-2017

I want to make a table that shows ACTION, DATABASE USER, PRIVILEGE, CLIENT USER and DBID; I want the value between ' '. My field extraction and rex fails. Please advice.

Sat May 20 23:59:45 2017
LENGTH : '426'
ACTION :[278] 'select sofar, context, start_time from v$session_longops where (start_time > nvl(:1, sysdate-100) or start_time = nvl(:2, sysdate+100)) and sid = :3 and serial# = :4 and opname like 'RMAN:%' order by start_time desc, context desc'
DATABASE USER:[1] '/'
PRIVILEGE :[6] 'SYSDBA'
CLIENT USER:[6] 'bing'
CLIENT TERMINAL:[0] ''
STATUS:[1] '0'
DBID:[9] '000000000'

MuS · ‎05-25-2017

Hi ewise1,

take a look at this answer https://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html to learn how it can be done.

Your regex would be something like this:

 ^(\w+\s\w+|^\w+)[\s:\[\d\]]+'(.+)'

hope this helps ...

cheers, MuS

ewise1 · ‎05-26-2017

MuS,

thanks for your response, referring to the link you mentioned I should say that I don't have access to transform.conf.

MuS · ‎05-26-2017

How come? transforms.conf can be created/modified in the UI under settings - fields - field transformation

Read this https://answers.splunk.com/answers/149597/im-struggling-with-how-i-should-be-doing-inputs-and-also-p... which explains how the options of props and transforms maps to the UI.
cheers, MuS

How to use rex to extract the values?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!