- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract a field using Regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have following output from a log file.
(5/1/13 - 1:36:05.01 PM) Event LOAD 1 Setup
(5/1/13 - 1:36:08.01 PM) Event LOAD 2 Setup
(5/1/13 - 1:37:07.37 PM) Event LOAD 1 Process
(5/1/13 - 1:37:17.37 PM) Event LOAD 3 Process
(5/1/13 - 1:38:07.39 PM) Event LOAD 1 Complete
(5/1/13 - 1:38:15.01 PM) Event LOAD 3 Setup
(5/1/13 - 1:38:17.39 PM) Event LOAD 2 Complete
(5/1/13 - 1:39:07.42 PM) Event READ 1 Setup
(5/1/13 - 1:39:17.37 PM) Event LOAD 3 Process
(5/1/13 - 1:39:27.39 PM) Event LOAD 3 Complete
(5/1/13 - 1:39:37.42 PM) Event READ 2 Setup
(5/1/13 - 1:39:57.42 PM) Event READ 3 Setup
(5/1/13 - 1:40:07.45 PM) Info READ 1 Process
(5/1/13 - 1:41:07.47 PM) Error READ 1 Complete
(5/1/13 - 1:41:17.45 PM) Info READ 2 Process
(5/1/13 - 1:41:27.45 PM) Info READ 3 Process
(5/1/13 - 1:41:57.47 PM) Error READ 2 Complete
(5/1/13 - 1:42:07.47 PM) Error READ 3 Complete
I need to extract a field "WorkID", so I used following REGEX
rex field=_raw "LOAD (?\d+)|READ (?\d+)"
and got error message "Regex: two named subpatterns have the same name"
If I change the WorkID field to WorkID1 and WorkID2, it works but not sure how to consolidate these 2 fields.
Later I will be using "Transaction" to get following output:
Start Time End Time WorkId
(5/1/13 - 1:36:05.01 PM) (5/1/13 - 1:41:07.47 PM) 1
(5/1/13 - 1:36:08.01 PM) (5/1/13 - 1:41:57.47 PM) 2
(5/1/13 - 1:38:15.01 PM) (5/1/13 - 1:42:07.47 PM) 3
What would be best ( practice) implementation for this issue?
Thanks!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you rework your RegEx a little bit, you should be able to get the field extraction. Try this out:
rex field=_raw "(LOAD|READ)\s(?<workid>\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to wpreston and sdaniels. Both solutions worked!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you rework your RegEx a little bit, you should be able to get the field extraction. Try this out:
rex field=_raw "(LOAD|READ)\s(?<workid>\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this comes down to a better regex. This is an example that will match just the workid number you are looking for or you could change your 'OR' on the word match as well. A lookbehind assertion on a 4 letter word that is all caps plus the space.
(?<=[A-Z]{4}\s)\d
Rex would be something like this:
rex field=_raw "(?<=[A-Z]{4}\s)(?<workid>\d+)"
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
