Splunk Search

Extract two field into two variable from a single line of log

anilkashyap
New Member

I want to extract the PID number from the log and store in variable failedPID. i have many of this kind of message with different Application Names.

Application: MM Viewer, PID: 7988 failed
Application: Database Browser App, PID: 6788 failed
Application: CentralViewer, PID: 7978 failed

i am using

rex  "Application:  (?<failedPID>.*) failed" | dedup 1 _time | chart count by failedPID

which is giving me output as

MM Viewer, PID: 7988
Database Browser App, PID: 6788
CentralViewer, PID: 7978

my ultimate goal is to store Application name in failedApp variable and PID in failedPID avriable.

Tags (3)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @anilkashyap,

If this only applies to failed events, then try this :

| rex  field=_raw  "Application:\s(?<failedApp>.+),\sPID:\s(?<failedPID>\d+)\sfailed"

Cheers,
David

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi anilkashyap,
you can extract both the fields using one regex:

| rex "Application:\s+(?<failedApp>[^,]*),\s+PID:\s+(?<failedPID>\d*)\s+failed"

You can test it at https://regex101.com/r/piK2bJ/1

Bye.
Giuseppe

0 Karma

DavidHourani
Super Champion

Hi @anilkashyap,

If this only applies to failed events, then try this :

| rex  field=_raw  "Application:\s(?<failedApp>.+),\sPID:\s(?<failedPID>\d+)\sfailed"

Cheers,
David

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@anilkashyap

Try

|rex  "Application:\s+(?<failedApp>.+),\s+PID:\s+(?<failedPID>\d+)"
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...