Extract Fields at runtime in Splunk

For instance, to extract the time in this raw log (note that raw logs get stored in _raw field in splunk), into a dynamic field time, use this: rex field=_raw "(?ms).*match everything after this(?<mapToThisField>.*).*" | table mapToThisField.


*Exception* | rex field=_raw "(?ms).*Exception(?<EType>.*).*" | stats count by EType | sort - count

Input: Time taken: 300

Output: 300

PS: In above regex, the (?ms) are search modifiers for:

  • m (PCRE_MULTILINE): When this modifier is set, the “start of line” and “end of line” constructs match immediately following or immediately before any newline in the subject string, respectively, as well as at the very start and end. 
  • s (PCRE_DOTALL): If this modifier is set, a dot metacharacter in the pattern matches all characters, including newlines. 

here are all the modifiers: http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php


