Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract the prefixed words from logs

prettysunshinez
Explorer
‎12-01-2019 09:39 AM

Hi All,
I require help in extracting the words that appear right before the word.
Example:
Null.set.error
Nullerror
Set-get-error
Timed out error
Unknown - error

From the above,the expected result is
Null.set
Null
Set-get
Timed out
Unknown

Kindly help me with this.

Thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎12-01-2019 12:32 PM

Hi prettysunshinez,

Based on the provided examples, give this a try:

your search here | rex "(?<ThisIsWhatYouWant>.+?)[\s\.-]*error"

Hope this helps ...

cheers, MuS

UPDATE After some feedback and new examples the correct regex is:

 your search here | rex "(?<ThisIsWhatYouWant>[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-01-2019 02:55 PM

Like this:

... | rex ":\s*(?<error_prefix>.*?)[^A-z]+\s+error"
0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎12-01-2019 12:32 PM

Hi prettysunshinez,

Based on the provided examples, give this a try:

your search here | rex "(?<ThisIsWhatYouWant>.+?)[\s\.-]*error"

Hope this helps ...

cheers, MuS

UPDATE After some feedback and new examples the correct regex is:

 your search here | rex "(?<ThisIsWhatYouWant>[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error"
0 Karma
Reply
Solved! Jump to solution

prettysunshinez
Explorer
‎12-05-2019 07:46 AM

Hi @MuS,
Thanks for your help.
This seems to work but this seems to capture all the words that are present before the word error

For Example:
In the below log,
Could not complete.Reason : Null.set.error

The expected is only Null.set but the its extracting me 'Could not complete.Reason : Null.set'

Likewise for the others also.

Could you kindly help.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-05-2019 09:46 AM

Hi prettysunshinez,

well you did not provided that example in your question so my regex was based on what you provided 😉 But try this regex :

 "(?<ThisIsWhatYouWant>[a-zA-Z]+[-\.\s]?[a-zA-Z]+)[\s\.-]*error"

this will also match correctly with the new example that you just provided 🙂

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

prettysunshinez
Explorer
‎12-05-2019 10:00 AM

Hi @MuS
Thanks! This works fine 🙂

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-05-2019 10:05 AM

You're welcome and thank you 🙂

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎12-05-2019 07:57 AM

I updated my answer.

0 Karma
Reply
Solved! Jump to solution

prettysunshinez
Explorer
‎12-05-2019 08:25 AM

Hi @Noah_Woodcock

Think you have got me wrong.
I wanted to extract only the very first word that comes before the word error.

So in my initial question,I have shared the sample as below.

Null.set.error
Nullerror
Set-get-error
Timed out error
Unknown - error

and the regex that has been suggested (rex "(?.+?)[\s.-]*error") seem to capture everything that is present before the word error.

For Example:
In the below log,
Could not complete.Reason : Null.set.error

The expected is only Null.set but the its extracting me 'Could not complete.Reason : Null.set'

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...