Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex to extract two strings from log and make as field

pingdpk
Engager
‎02-21-2017 04:08 AM

Log - (given 2 lines for example)

2017/02/21 03:46:12.119-0800 [http-bio-8480-exec-3] C3AF4B3F9C2E40D2006D1513C81191A6.pppxwbtect014 INFO  c.e.c.w.b.r.ShirtsSaleResource -  #xHoster#  #**res_ShirtServiceTosite**#  ShirtsSaleResource.getLossier  , URI ->  /{1856659}  , Time taken to get JSON -> **58** milliseconds

2017/02/21 03:46:08.489-0800 [http-bio-8480-exec-2] 82F757837394C2E950AEB9A47043DD61.pppxwbtect010 INFO  c.e.c.p.m.i.CmppRestClientImpl -  #xHoster#  #**res_CmppToShirtService**#  CmppRestClientImpl.prepareChange  , URI -> http://ppp-Shirteu.ch.expeso.com:52008/order/PrepareChange , Time taken to get XML response ->  **178** milliseconds

Expected output : 

Field1                            Field2
res_ShirtServiceToSite            58
res_CmppToShirtService            178

I tried : 

index=app source=/var/log* "#xHoster#" | rex field=_raw res_(?.*)# | rex field=_raw .\-\>\s(?.*)\smilliseconds |table ptype,ptime
0 Karma
Reply

aaraneta_splunk
Splunk Employee
Splunk Employee
‎04-19-2017 05:58 PM

@pingdpk - Looks like you have a few possible solutions to your question. If one of them provided a working solution, please don't forget to click "Accept" below the best answer to resolve this post. If you still need help, please leave a comment. Don’t forget to upvote anything that was helpful too. Thanks!

0 Karma
Reply

zanb
Path Finder
‎02-22-2017 02:03 PM

Here's my RegEx:

(?P<ptype>res_\w+).*\*\*(?P<ptime>\d+)
0 Karma
Reply

nikhilb0763
Engager
‎02-22-2017 11:49 AM

How about this:

rex field=_raw "(?res_[^*]+)" | rex field=_raw "\*(?\d+)"
0 Karma
Reply

rjthibod
Champion
‎02-21-2017 05:12 AM

How about this

index=app source=/var/log* "#xHoster#" 
| rex field=_raw  "#(?<ptype>res_[^#]+)#.+\-\>\s*(?<ptime>\d+)\s*milliseconds" 
| table ptype ptime
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎02-21-2017 05:45 AM

I came up with \*\*(?<ptype>res_[^\*]+)\*\*.*?\*\*(?<ptime>\d+)\*\*

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...