extract characters after colon

ksharany · ‎07-09-2018

Hi ,

My log consists of below

msg: 2018-07-07 14:30:02.226 INFO 7 --- [nio-8080-exec-6] c.f.p.a.service.CGEventRetimeService : <> : 12006

I need to extract the values after <> : i.e) 12006 alone and create alert to be sent to user .

How do I do it ?

PowerPacked · ‎07-10-2018

Hi @ksharany

Take a look at this.

Thanks

FrankVl · ‎07-09-2018

Two options:

use the characters in front of it as demarkation point: | rex "\<\>\s+:\s+(?<field1>\d+)" https://regex101.com/r/0na0Fq/1
if it is really at the end of the event and you don't have other (similar) logs that cause issues, you can grab if from the end of the string: | rex "(?<field1>\d+)$" https://regex101.com/r/0na0Fq/2

Note that second option is a simpler regex, but less efficient.

jodyfsu · ‎07-09-2018

This should work:

| rex "\<\>\s\:\s(?<NUMBERS>\d+)"

Let us know if you need more help.

ksharany · ‎07-10-2018

To be more precise - i need to search for msg with " Invalid Retimed Control Group " text and extract the highlighted felds

msg: 2018-07-07 14:30:02.226 INFO 7 --- [nio-8080-exec-6] c.f.p.a.service.CGEventRetimeService : < Invalid Retimed Control Group > : CCF 2018 12006

and display the highlighted bold once as separate columns in CSV file as below

Date - 2018-07-07
Time - 14:30:02
PTVL - CCF
MY - 2018
CG - 12006

jodyfsu · ‎07-10-2018

give this a shot:

| rex "^msg\:\s(?<DATE>.[^\s]+)\s(?<TIME>.[^\s]+).[^\:]+\:.[^\:]+\:\s(?<PTVL>.[^\s]+)\s(?<MY>.[^\s]+)\s(?<CG>.[^\s]+)"

jodyfsu · ‎07-10-2018

You will want to do
| table DATE TIME PTVL MY CG

extract characters after colon

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!