I'm fairly new to splunk and have just learned how to use the rex/regex. I am trying to add a column in my string search to a statistics table to display the name of the workstation. This is my current string.
Hi harshparikhxlrd
if the field you want i ComputerName, probably you already have because Splunk recognize by itself the pair field=value.
Anyway the regex to extract Computername is:
| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task"
that you can test at https://regex101.com/r/0n0rks/1
So your search will be (sorry I cannot rewrite your regex because I cannot see it, use Code Sample button to share regexes):
index=monitoring sourcetype=PEGA:WinEventLog:Application ( SourceName="RoboticLogging" OR SourceName="Application" ) ("Department=" "HRSS_STL") ("Type=" "Error")
| rex "Message : (?.+.?)"
| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task"
| stats count by ex
| rename ex as Exception
Ciao.
Giuseppe
Hi harshparikhxlrd
if the field you want i ComputerName, probably you already have because Splunk recognize by itself the pair field=value.
Anyway the regex to extract Computername is:
| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task"
that you can test at https://regex101.com/r/0n0rks/1
So your search will be (sorry I cannot rewrite your regex because I cannot see it, use Code Sample button to share regexes):
index=monitoring sourcetype=PEGA:WinEventLog:Application ( SourceName="RoboticLogging" OR SourceName="Application" ) ("Department=" "HRSS_STL") ("Type=" "Error")
| rex "Message : (?.+.?)"
| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task"
| stats count by ex
| rename ex as Exception
Ciao.
Giuseppe
Hi harshparikhxlrd,
Try now:
index=monitoring sourcetype=PEGA:WinEventLog:Application ( SourceName="RoboticLogging" OR SourceName="Application" ) ("Department=" "HRSS_STL") ("Type=" "Error")
| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task.*Message\=(?<Message>.*)"
| stats stats values(Message) As Message values(Computername) AS Computername count by ex
| rename ex as Exception
That you can test at https://regex101.com/r/0n0rks/2 .
Ciao.
Giuseppe
Adding to previous post:
Message=