SRPWEB9-Daily-Incremental-Backup-to-VTL

kavyakanne · ‎05-12-2020

Attached are my events I want rex to extract the highlighted text from the events and the events are logged under the field name JobName

========================================================
krwesx05.krw.app.com-IDPD3VPSEC01-Daily-Incremental-Backup-to-Disk
krwesx06.krw.app.com-krwbe3-Daily-Incremental-Backup-to-Disk
IDPD2VPIVC01-Application-02-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Web-Server-01-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Mail-Server-01-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-File-Servers-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Mail-Server-01-Daily-Incremental-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-KRWHR1-Backup-Daily-Incremental-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Application-03-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Application-01-Daily-Incremental-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC02-Application-03-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Application-02-Daily-Incremental-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Active-Directory-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Application-01-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC02-Active-Directory-Weekly-Full-Backup-to-StoreOnce-Catalyst
IDPD2VPIVC01-Mail-Server-02-KRWLN3-Daily-Incremental-Backup-to-StoreOnce-Catalyst
idwikppads01.app.com-Daily-Incremental-Backup-to-VTL
APP_Gold_VM_Image_Backup_01-Daily-Incremental-Backup-to-VTL
APP_Global_AD-Daily-Incremental-Backup-to-VTL

SRPWEB9-Daily-Incremental-Backup-to-VTL

Post rex I would want results like

Daily-Incremental-Backup
Weekly-Full-Backup

richgalloway · ‎05-12-2020

Here's one regex string. It's not as efficient as I would like, though.

| rex "(?<jobName>(?:Daily|Weekly)-\w+-Backup)"

This one is a little different, but a lot more efficient.

| rex "-(?<jobName>\w+-\w+-Backup)-"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎05-12-2020

Here's one regex string. It's not as efficient as I would like, though.

| rex "(?<jobName>(?:Daily|Weekly)-\w+-Backup)"

This one is a little different, but a lot more efficient.

| rex "-(?<jobName>\w+-\w+-Backup)-"

---
If this reply helps you, Karma would be appreciated.

kavyakanne · ‎05-12-2020

Thanks a ton! 🙂

need help to write regex for the below events

SRPWEB9-Daily-Incremental-Backup-to-VTL

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio