Splunk Search

REGEX to collect all data after final closing bracket

Michael_Schyma1
Contributor

Hey Guys,
Here are a few examples of the logs that we have. I am having trouble grabbing from the last bracket ] to the end in each log file over with a rex.

Thank you

 Aug 28 10:21:26 chtr990.company.com Aug 28 14:21:26 Vpxa: [2012-08-28 14:21:26.151 17CBFB90 verbose 'App'] Set internal stats for VM: 31 (vpxa VM id), 1625 (vpxd VM id). Is FT primary? 0
    Aug 28 10:21:26 chtr990.company.com Aug 28 14:21:26 Vpxa: [2012-08-28 14:21:26.094 17E45B90 verbose 'App'] [VpxaInvtVmChangeListener] Guest DiskInfo Changed
    Aug 28 10:21:26 chtr990.company.com Aug 28 14:21:26 Vpxa: [2012-08-28 14:21:26.094 17E45B90 verbose 'App'] [VpxaHalServices] VmGuestDiskChange Event for vm(203) 3248
    Aug 28 10:21:26 chtr990.company.com Aug 28 14:21:26 Vpxa: [2012-08-28 14:21:26.093 17E45B90 verbose 'App'] [VpxaHalVmHostagent] 3248: GuestInfo changed 'guest.disk'
    Aug 28 10:21:26 chtr990.company.com Aug 28 14:21:26 Vpxa: [2012-08-28 14:21:26.093 17E45B90 verbose 'VpxaHalCnxHostagent'] [VpxaHalCnxHostagent::ProcessUpdate] Applying updates from 3213921 to 3213922 (at 3213921)
Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

This ought to work.

... | rex "\]\s(?<msg>.*?)\s*$"

or if that's too greedy, try

... | rex "\]\s(?<msg>[^\]]*?)\s*$"

The new field will be called msg and contain everything from the last ending square bracket to the end-of-line.

/k

View solution in original post

kristian_kolb
Ultra Champion

This ought to work.

... | rex "\]\s(?<msg>.*?)\s*$"

or if that's too greedy, try

... | rex "\]\s(?<msg>[^\]]*?)\s*$"

The new field will be called msg and contain everything from the last ending square bracket to the end-of-line.

/k

kristian_kolb
Ultra Champion

updated with a less greedy variant /k

0 Karma

Michael_Schyma1
Contributor

Any suggestions???

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...