All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

field extractor

sri777
New Member
‎02-25-2013 09:04 PM

Fri Feb 22 20:52:59 2013 390603 : Failure during SQL operation to the database : ORA-00942: table or view does not exist (ARERR 552)
Fri Feb 22 20:52:59 2013 390603 : Failure during SQL operation to the database : ORA-00942: table or view does not exist (ARERR 552)

Fri Aug 31 16:54:19 2012 Sig-Cancelled - AP:Signature - 000000000031602|000000000017692
Fri Aug 31 16:54:19 2012 Approve : Operation cancelled due to error (ARAPPNOTE 4502)

Fri Aug 31 16:54:19 2012 Sig-Cancelled - AP:Signature - 000000000023551|000000000014287
Fri Aug 31 16:54:19 2012 Approve : Operation cancelled due to error (ARAPPNOTE 4502)

is the sample data. looking to extract only last field within ( ) error code and the text before it starting from :.*(AR* 111)
tried several rex and extraction as the data but no luck.

looking for help

thanks

Sri

0 Karma
Reply

tgow
Splunk Employee
Splunk Employee
‎02-25-2013 09:30 PM

Wondering if this works. 

.. | rex field=_raw "\(AR\S+\s+(?<error>[^\)]+)\)"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...