Reputation: 319
Splunk Regex: Unable to extract data
what am I doing wrong here??
Splunk QUERY:
index=du sourcetype="du:sbaservice-log" du_service="dugovt4.0" "ERROR=" | rex field=_raw
"INFO\=>CaseFileID\s+(?.*)" | rex field=_raw "INFO\=>Envelope\InstID\s\=\s(?
instID>\d+)"| rex field=_raw "lenderCaseNo\s[(?\d+)]" | rex field=_raw
"Originating\sID:\s+(?\S+)" | rex field=_raw "SBA\sCommand:\s+(?
\S+)" | rex field=_raw "Host:\s+(?\S+)" | rex field=_raw " Base\sGUID:\s+(?
\S+)" | eval BTime = strptime(Begin_time, "%H:%M:%S.%3N") | eval CTime =
strptime(Completion_time, "%H:%M:%S.%3N") | eval ResTime=CTime-BTime
Also I am not getting the value of CASEFILEID data
ERROR: I get an error:-Error in 'rex' command: Encountered the following error while compiling the
regex 'INFO\=>Envelope\InstID\s\=\s(?instID>\d+)': Regex: unrecognized character follows .
DATA in the LOG:
11/21/2019 12:22:01.817 INFO=>Executing workflow...
11/21/2019 12:22:01.817 INFO=>CaseFileID 1427667459
11/21/2019 12:22:01.817 INFO=>Creating task 1003ToCLDF
11/21/2019 12:22:01.818 INFO=>Envelope InstID = 12006
Upvotes: 0
Views: 645
Answers (1)
Reputation: 319
I corrected the regex and I was able to get the results
| rex field=raw "INFO=>CaseFileID\s*(?\d+)"
| rex field=raw "INFO=>Envelope InstID\s*=\s*(?\d+)"
Upvotes: 0
Related Questions
- Not able to match the regex
- Splunk rex extract field, I am close but just cant get it matching
- Splunk query not endswith
- Splunk: How to extract field directly in Search command using regular expressions?
- Splunk - regex extract fields from source
- Splunk not recognizing regex
- If statements and extracting values
- regex operator in Splunk is not working to match results
- RegEx in Splunk Search
- Splunk regex query returning no results