Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I edit the regex in my search to extract a part of a string?

kumina
New Member
‎06-24-2015 04:51 AM

I have a log:

 BL: | LL: INFO | TS: 1234 | AR: RxC_16.00.37.01 | STORE:  :BROADCAST |
 USER: BROADCAST | HOST: BROADCAST | APPSERVER: rri | MSGID: CINTERFACE
 |SC: [Profile] | MSG: ISP Broadcast Received for

I want to get MSGID-SC (CINTERFACE-Profile) from the string above.

For this i am trying to use rex command:

index=rx_connect "USER: BROADCAST" |rex field=_raw
"MSGID:\s(?<MSGID>[^\|]*)\s\|\SC:\s\[(?<SC>[^\]]*)\]" | eval
someNewField=MSGID."-".SC`

But it is not working. Please suggest further.

0 Karma
Reply

chimell
Motivator
‎06-26-2015 08:29 AM

Hi kumina

If msgid and sc are not constant , use the max_match option and mvindex command to solve your problem

Try this search code 

 index=rx_connect "USER: BROADCAST"|rex field=_raw  max_match=0 "\|\s\w+\:\s(?P<msgid1>[^\|]+)\s"|eval msgid=mvindex(msgid1,7)
|rex field=_raw "\[(?P<sc>[^\|]+)\]"|rex field=_raw "\|\s(?P<field1>[\w]+)\:\sCINTERFACE"|rex field=_raw "\|(?P<field2>[\w]+)\:\s\[Profile]"|eval someNewField = field1."-".field2."  (".msgid."-".sc.")" 
|table msgid sc field1 field2 someNewField

see result
alt text

Preview file
1 KB
0 Karma
Reply

chimell
Motivator
‎06-25-2015 05:28 AM

Hi kumina

Try this search code it works well

 index=rx_connect "USER: BROADCAST" |rex field=_raw "MSGID:\s(?P<msgid>[^\|]+)\s"|rex field=_raw "SC:\s\[(?P<sc>[^\|]+)\]"|rex field=_raw "\|\s(?P<field1>[\w]+)\:\sCINTERFACE"|rex field=_raw "\|(?P<field2>[\w]+)\:\s\[Profile]"|eval someNewField = field1."-".field2."  (".msgid."-".sc.")" |table msgid sc field1 field2 someNewField

Look at the following screen capture

alt text

Preview file
1 KB
0 Karma
Reply

chimell
Motivator
‎06-26-2015 07:33 AM

Thanks too .
Test the second result and think to vote and accept

0 Karma
Reply

kumina
New Member
‎06-26-2015 03:15 AM

Thanks Chimell....
Now it works

0 Karma
Reply

kumina
New Member
‎06-26-2015 03:17 AM

Hi,

If value of msgid and sc in above logs is not constant and we want to extract that part then what will be the string

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎06-24-2015 04:55 AM

Your regex has a Typo. Try this:

index=rx_connect "USER: BROADCAST" |rex field=_raw "MSGID:\s(?<msgid>[^\|]+)\s\|SC:\s\[(?<sc>[^\]]*)\]" | eval someNewField = msgid."-".sc
Reply

kumina
New Member
‎06-24-2015 10:24 PM

Hi,

I am still getting whole logs instead of

MSGID-SC

example:(CINTERFACE-Profile)

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...