Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

REGEX HELPING PLEASE

trevorkubheka
New Member
‎08-11-2020 04:53 AM

trevorkubheka_0-1597146695489.png

struggling to extract underlined items as RUN NAME

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-11-2020 10:54 AM

Simple regex:

| rex “\"run\.name\"\:\"(?<runname>[^\"]+)”

run.name will be extracted to runname field.

 

————————————
If this helps, give a like below.
0 Karma
Reply

stonefr33
Explorer
‎08-11-2020 05:30 AM

This should do the trick, thi

| rex field=_raw "run\.name":"(?<RunName>[\w\s.]+)"

The named capture group doesn't like the  space but you can use the "| rename RunName AS "Run Name" "

http://regex101.com is where I do most of my testing

stonefr33_0-1597149070030.png

 

0 Karma
Reply

trevorkubheka
New Member
‎08-11-2020 06:31 AM

does it work the same for below extract? cause im not getting it, also tried it on regex101

------------------------------------------------------------------------------------------------------------------------------------

2020-08-11 14:29:42,212 [8618-12939] ERROR NodePoolServiceImpl - [urn:uuid:979ECCA3B9BACEB335159714896138959] Find and lock (capabilities : [{"extra.executor.id":{"host.name":"https://spbbwfapp1v.standardbank.co.za:8443","context.path":"/workfusion","task.uuid":"f6bb5671-b4c3-4917-bd02-01e23488a9f6","run.name":"Business Banking AO and Sales 2020/08/11","run.uuid":"9c1d82a7-16e2-4362-9a5d-404d2b694b7d","run.author.fullname":"Mark Erasmus","run.author.email":"Mark.Erasmus@standardbank.co.za","task.name":"ia-process-business-banking-ao v2.0.3 (UpdateCompanyDataRobot)"},"browserName":"chrome","javascriptEnabled":true,"maximize.on.startup":true,"chromeOptions":{"args":[],"extensionFiles":[],"extensions":[],"experimentalOptions":{},"capabilities":{"caps":{}}},"platform":"WINDOWS"}]) failed with message : [urn:uuid:979ECCA3B9BACEB335159714896138959] Can not find any free node with requested capabilities [{"extra.executor.id":{"host.name":"https://spbbwfapp1v.standardbank.co.za:8443","context.path":"/workfusion","task.uuid":"f6bb5671-b4c3-4917-bd02-01e23488a9f6","run.name":"Business Banking AO and Sales 2020/08/11","run.uuid":"9c1d82a7-16e2-4362-9a5d-404d2b694b7d","run.author.fullnam

 

@stonefr33 

0 Karma
Reply

stonefr33
Explorer
‎08-11-2020 06:56 AM

My bad forgot to escape the double quotes for splunk. the section in the square brackets with catch a-zA-Z0-9 backslash and forward slash. If there are other characters $,%,- etc.. in the field they will need added

| rex field=_raw "\"run\.name\":\"(?<RunName>[\w\\\\/\s]+)\","

 

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...