Mail_Log_Splunk: Info: MID 119972447 SHA ee1b5fe97eb813f416052526bc191f3112382a7e9638fba3a3ed2652acf81d5a filename Pics meeting pagoda.doc queued for possible file analysis upload
What is the regex to parse the bold section out of a raw log?
Like this:
... | rex "SHA (?<hash>\S+)"
Thank you, for your answers! How would I make this into a field extraction?
At search time, or index time? BTW, Splunk best practice is at search time.
At search time. I need to use a Data Model that contains fields that are currently not being parsed from the raw logs. I ran the regex and it worked so now I need this to be a field extraction that I can add to an app that the Data Model uses.
Create a field extraction by going to Settings -> Fields -> Field Extractions -> New Field Extraction.
Then you fill in the form and use the regex in the Extraction/Transform field of the form.
@kjebaker3, refer to the following documentation for Field Extraction using IFX. You can override the automatic regular expression with your custom regular expression in the guided wizard: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
Something like this "run-anywhere" example should work for the case you provide:
| makeresults
| eval _raw="Mail_Log_Splunk: Info: MID 119972447 SHA ee1b5fe97eb813f416052526bc191f3112382a7e9638fba3a3ed2652acf81d5a"
| rex "SHA (?<hash>[a-f0-9]+)"
@kjebaker3 adding a raw event sample would help for us to identify correct regular expression pattern. Assuming SHA # will be followed by a space character (SHA will not have space in it), you can try the following regex on your _raw events:
<yourSearch>
| rex "SHA (?<hash>[^\s]+)\s"
@cpetterborg, slightly changed your Regex. Not sure of exact pattern until complete event can be posted.