For instance, to extract the time in this raw log (note that raw logs get stored in _raw field in splunk), into a dynamic field time, use this:
rex field=_raw "(?ms).*match everything after this(?<mapToThisField>.*).*" | table mapToThisField.
FOR COUNT STATS USE:
*Exception* | rex field=_raw "(?ms).*Exception(?<EType>.*).*" | stats count by EType | sort - count
Input: Time taken: 300
PS: In above regex, the
(?ms) are search modifiers for:
- m (PCRE_MULTILINE): When this modifier is set, the “start of line” and “end of line” constructs match immediately following or immediately before any newline in the subject string, respectively, as well as at the very start and end.
- s (PCRE_DOTALL): If this modifier is set, a dot metacharacter in the pattern matches all characters, including newlines.
here are all the modifiers: http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php