- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract the prefixed words from logs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I require help in extracting the words that appear right before the word.
Example:
Null.set.error
Nullerror
Set-get-error
Timed out error
Unknown - error
From the above,the expected result is
Null.set
Null
Set-get
Timed out
Unknown
Kindly help me with this.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi prettysunshinez,
Based on the provided examples, give this a try:
your search here | rex "(?<ThisIsWhatYouWant>.+?)[\s\.-]*error"
Hope this helps ...
cheers, MuS
UPDATE After some feedback and new examples the correct regex is:
your search here | rex "(?<ThisIsWhatYouWant>[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | rex ":\s*(?<error_prefix>.*?)[^A-z]+\s+error"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi prettysunshinez,
Based on the provided examples, give this a try:
your search here | rex "(?<ThisIsWhatYouWant>.+?)[\s\.-]*error"
Hope this helps ...
cheers, MuS
UPDATE After some feedback and new examples the correct regex is:
your search here | rex "(?<ThisIsWhatYouWant>[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MuS,
Thanks for your help.
This seems to work but this seems to capture all the words that are present before the word error
For Example:
In the below log,
Could not complete.Reason : Null.set.error
The expected is only Null.set but the its extracting me 'Could not complete.Reason : Null.set'
Likewise for the others also.
Could you kindly help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi prettysunshinez,
well you did not provided that example in your question so my regex was based on what you provided 😉 But try this regex :
"(?<ThisIsWhatYouWant>[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error"
this will also match correctly with the new example that you just provided 🙂
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MuS
Thanks! This works fine 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome and thank you 🙂
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I updated my answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Noah_Woodcock
Think you have got me wrong.
I wanted to extract only the very first word that comes before the word error.
So in my initial question,I have shared the sample as below.
Null.set.error
Nullerror
Set-get-error
Timed out error
Unknown - error
and the regex that has been suggested (rex "(?.+?)[\s.-]*error") seem to capture everything that is present before the word error.
For Example:
In the below log,
Could not complete.Reason : Null.set.error
The expected is only Null.set but the its extracting me 'Could not complete.Reason : Null.set'
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
