Splunk: How to use multiple regular expressions in one query?

Question

I have four regular expressions which I would like to use for one query. All the regular expressions are okay for itselves but I did not find out how to use them in pne query together:

These are the regular expressions:

Expression 1:

(?<time>\d{4}.\d{2}.\d{2}\s\d{2}.\d{2}.\d{2}.\d{3})

Expression 2:

deviceId...(?<deviceId>\d+)

Expression 3:

error....code...(?<errorCode>\w+)

Expression 4:

"\"message...(?<errorMessage>.*?)\"

And I tried this among some other things in Splunk:

 source="xyz.log" |rex field=_raw  "(?<time>\d{4}.\d{2}.\d{2}\s\d{2}.\d{2}.\d{2}.\d{3}) deviceId...(?<deviceId>\d+) error....code...(?<errorCode>\w+) "\"message...(?<errorMessage>.*?)\"" |table time deviceId errorCode errorMessage

But I got an error.

Answer 1

You might be able to combine the regexes using the OR | operator, but it's far easier to use multiple rex commands. Using multiple commands has the advantage of allowing the keywords to be order-independent.

source="xyz.log" 
|rex field=_raw  "(?<time>\d{4}.\d{2}.\d{2}\s\d{2}.\d{2}.\d{2}.\d{3})" 
|rex "deviceId...(?<deviceId>\d+)"
|rex "error....code...(?<errorCode>\w+)"
|rex "\\\"message...(?<errorMessage>.*?)\\\"" 
|table time deviceId errorCode errorMessage

Answer 2

I generally try to avoid putting multiple field extracts in a single rex

Instead, I go for sequential ones like this:

<search>
| rex field=_raw "(?<ip>\d+\.\d+\.\d+\.\d+):"
| rex field=_raw "\d+:(?<port>\d+)"
| rex field=_raw "\d+:\d+\s+(?<msg>.+)"
<more stuff here>

In this example, I'm pulling an IP, port, and some message afterwards into three new fields: ip, port, msg

Of course, if you can this should be done in props.conf ...but that's not always possible