Solved: How to extract the all the field using rex?

karthi2809 · ‎06-20-2018

How to extract success and fatal into one field and also extract two Fields after FATAL

2018-06-18 02:06:34,606|261529301994221|MA_SELECT|785M91236|602304234|001|WGS20||||EMAIL|SPALACIOS810@GMAIL.COM|LEVEL2|||SUCCESS|| 
2018-06-18 02:06:34,294|7961529301994286|MA_SELECT|AN72688470000|202465241|001|NASCO||||EMAIL|SANGELI@OUTDRS.NET|LEVEL2|||
FATAL|E000057P|Member not found

FrankVl · ‎06-20-2018

Shortcut approach to extract into result field:

| rex "\|(?<result>SUCCESS|FATAL)\|"

This is a shortcut since it assumes there are no other part of the event that could match this SUCCESS or FATAL string.

A safer approach would be to create a regex that extracts the SUCCESS/FATAL value from the expected location in the message:

| rex "(?:[^\|]*\|){15}(?<result>SUCCESS|FATAL)"

https://regex101.com/r/FvClhk/1

An other option is to configure delimiter based field extraction.

props.conf:

REPORT-extractfields = extractfields

transforms.conf

[extractfields]
DELIMS = "|"
FIELDS = field1, field2, field3

Note: replace the field1 etc. with your own list of comma separated field names.

View solution in original post

rlait_splunk · ‎06-20-2018

If it's just FATAL or SUCCESS, you could try:

(?<status>FATAL|SUCCESS)

FrankVl · ‎06-20-2018

Shortcut approach to extract into result field:

| rex "\|(?<result>SUCCESS|FATAL)\|"

This is a shortcut since it assumes there are no other part of the event that could match this SUCCESS or FATAL string.

A safer approach would be to create a regex that extracts the SUCCESS/FATAL value from the expected location in the message:

| rex "(?:[^\|]*\|){15}(?<result>SUCCESS|FATAL)"

https://regex101.com/r/FvClhk/1

An other option is to configure delimiter based field extraction.

props.conf:

REPORT-extractfields = extractfields

transforms.conf

[extractfields]
DELIMS = "|"
FIELDS = field1, field2, field3

Note: replace the field1 etc. with your own list of comma separated field names.

karthi2809 · ‎06-20-2018

I need to extract two fields after FATAL

493669 · ‎06-20-2018

@karthi2809, try this extended version to extract remaining fields:

 |rex field=data "\|(?<result>SUCCESS|FATAL)\|(?<number>\w+)?\|(?<status>[a-zA-Z ]+)?"

karthi2809 · ‎06-20-2018

Thank you so much

Anam · ‎06-20-2018

Hi @karthi2809

My name is Anam and I am the Community Content Specialist for Splunk Answers. Please go ahead and accept the answer that worked for you. If it is a comment, let me know and I can convert it to an answer and accept it.

Thanks

mayurr98 · ‎06-20-2018

can you put the sample events in 101010 sample code format as I am not able to understand it

karthi2809 · ‎06-20-2018

101010|101010|101010|101010|101010|101010|101010||||101010|101010|101010|||FATAL|E000110|file not found
101010|101010|101010|101010|101010|101010|101010||||101010| 101010 |101010|||SUCCESS||
101010|101010|101010|101010|101010|101010|101010|||101010|101010| 101010 |101010|||FATAL|E10021|file not found

FrankVl · ‎06-20-2018

he meant using the 101010 button in the editor, to mark the sample as code, that prevents special characters from dissapearing etc.

But take a look at my answer below and see if that works.

How to extract the all the field using rex?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life