Solved: Regex in splunk

malgru · ‎04-20-2020

Hello

I am trying to get a regex to work in splunk but without success, perhaps someone here can help me?

This work when I am testing (not in splunk)

", logdata="Process Code: -400
Process Message: [0]:ABC QRT 12764 NOT. <-PurchaseOrderLineId- HeadId:1415640 Division:10 Id:1-1>", marowver="7"

But how do I get an expression that works in Splunk? I want the string in bold: ABC QRT 12764 NOT

richgalloway · ‎04-20-2020

It would help to see your existing regex efforts.

Perhaps this will help: Process Message: \[\d+]:(?<processMessage>[\w\s]+)

---
If this reply helps you, Karma would be appreciated.

malgru · ‎04-20-2020

The regex that I got and work in other environments (Not Splunk ) is
(?<=Process Message)(.*)(?=<-DBTransaction)

Somehow it was not included in the my initial post

richgalloway · ‎04-20-2020

It would help to see your existing regex efforts.

Perhaps this will help: Process Message: \[\d+]:(?<processMessage>[\w\s]+)

---
If this reply helps you, Karma would be appreciated.

malgru · ‎04-20-2020

I just modified your example a little and it worked just fine, thanks

"(?<=Process Message:) \[\d+]:(?< basic_error_message>[\w\s]+)"

Regex in splunk