Solved: Can you help me extract the following fields using...

harishnpandey · ‎01-24-2019

Is there any way I can extract only PersistenceLo cache cleared! and PmFinUtilityL Cache Cleared (highlighted in BOLD)

[1/24/19 14:27:33:498 EST] 00007d47 PersistenceLo I cache cleared!
[1/24/19 14:27:32:091 EST] 00005167 PersistenceLo I cache cleared!
1/24/19 0:01:55:185 EST] 000001dc PmFinUtilityL I cache cleared!
[1/23/19 23:59:59:013 EST] 000060e4 PmFinUtilityL I Cache Cleared.

I appreciate your help to frame rex query.

somesoni2 · ‎01-24-2019

Give this a try

your base search | rex "^(\S+\s+){4}(?<Message>.+)"

View solution in original post

vinod94 · ‎01-24-2019

You can try this,

| makeresults 
| eval data="[1/24/19 14:27:33:498 EST] 00007d47 PersistenceLo I cache cleared!,
[1/24/19 14:27:32:091 EST] 00005167 PersistenceLo I cache cleared!,
1/24/19 0:01:55:185 EST] 000001dc PmFinUtilityL I cache cleared!,
[1/23/19 23:59:59:013 EST] 000060e4 PmFinUtilityL I Cache Cleared." 
| makemv delim="," data 
| mvexpand data 
| rename data as _raw 
| rex field=_raw "]\s\d+\w+\s(?P<field>[^?].*)"

somesoni2 · ‎01-24-2019

Give this a try

your base search | rex "^(\S+\s+){4}(?<Message>.+)"

harishnpandey · ‎01-25-2019

Awesome bud. It works as expected.

Appreciate your prompt reply. Thank you

harishnpandey · ‎01-24-2019

Hi,

Can you please explain a bit about solution

nickhills · ‎01-25-2019

What the regex statement means is:

(\S+\s+)
some characters, then a space

{4}
repeat the above 4 times

(?<Message>.+)
take all the remaining characters, and write them to a new field called 'Message'

Does that help

If my comment helps, please give it a thumbs up!

Can you help me extract the following fields using the rex command?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life