Re: How extract fields within my sample log?

ppanchal · ‎06-06-2017

Below is my log

Database-Error(3100)\nCONF-01083 - Count of positive/negative confirmations do not match the service quantity.  -> route order:152561611(61NX) / customer:699-0006223seq.nr:2\nCause: SQLException: ORA-20000: CONF-01083 - Count of positive/negative confirmations do not match the service quantity.  -> route order:152561611(61NX) / customer:699-0006223seq.nr:2\nORA-06512

I want to extract 3 fields,
152561611 as routeorder
61NX as route
699-0006223 as customer

Can somebody please assist me in achieving this?

woodcock · ‎06-06-2017

Like this:

| rex "->\s*route\s*order:(?<routeorder>\d+)\((?<route>[^\)]+)\)\s*\/*\s*customer:(?<customer>[\d-]+)"

rphillips_splk · ‎06-06-2017

You can achieve this with a search-time field extraction on your search head in props.conf:
apply this the sourcetype,source,or host metadata
example using sourcetype:

$SPLUNK_HOME/etc/system/local/props.conf
[mysourcetype]
EXTRACT-fields = route\s+order\:(?<routeorder>\d+)$(?<route>\S+)$\s+\/\s+customer\:(?<customer>\d+\-\d+)

DalJeanis · ‎06-06-2017

This will pull the first example of each field out of the _raw data.

| rex "route order:(?<routeorder>\d+)\s+?\((?<route>[^\)]*\))"
| rex "customer:(?<customer>[-0-9]*)"

Assumptions - (A) routeorder is always numeric (B )route is always found in parenthesis after the route, and does not contain any internal parenthesis, (C) customer consists solely of numbers and dashes.

How extract fields within my sample log?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...