Solved: Extract two field into two variable from a single ...

anilkashyap · ‎07-31-2019

I want to extract the PID number from the log and store in variable failedPID. i have many of this kind of message with different Application Names.

Application: MM Viewer, PID: 7988 failed
Application: Database Browser App, PID: 6788 failed
Application: CentralViewer, PID: 7978 failed

i am using

rex  "Application:  (?<failedPID>.*) failed" | dedup 1 _time | chart count by failedPID

which is giving me output as

MM Viewer, PID: 7988
Database Browser App, PID: 6788
CentralViewer, PID: 7978

my ultimate goal is to store Application name in failedApp variable and PID in failedPID avriable.

DavidHourani · ‎07-31-2019

Hi @anilkashyap,

If this only applies to failed events, then try this :

| rex  field=_raw  "Application:\s(?<failedApp>.+),\sPID:\s(?<failedPID>\d+)\sfailed"

Cheers,
David

View solution in original post

gcusello · ‎07-31-2019

Hi anilkashyap,
you can extract both the fields using one regex:

| rex "Application:\s+(?<failedApp>[^,]*),\s+PID:\s+(?<failedPID>\d*)\s+failed"

You can test it at https://regex101.com/r/piK2bJ/1

Bye.
Giuseppe

DavidHourani · ‎07-31-2019

Hi @anilkashyap,

If this only applies to failed events, then try this :

| rex  field=_raw  "Application:\s(?<failedApp>.+),\sPID:\s(?<failedPID>\d+)\sfailed"

Cheers,
David

renjith_nair · ‎07-31-2019

@anilkashyap

Try

|rex  "Application:\s+(?<failedApp>.+),\s+PID:\s+(?<failedPID>\d+)"

---
What goes around comes around. If it helps, hit it with Karma 🙂

Extract two field into two variable from a single line of log

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases