Splunk: how to extract fields using regular expressions? like rex in splunk search

Question

I want to extract Primary and StandyBy DB names from the below string which I found in my splunk search.

Jul 20 14:43:31 XXXXXXXX GuptaA GuptaA - Primary database GuptaC - (*) Physical standby database GuptaB - Physical standby database.

Jul 20 14:43:31 XXXXXXXX KumarA KumarA - Primary database KumarC - (*) Physical standby database KumarD - Physical standby database - Physical standby database KumarE - Physical standby database

Primary DB : GuptaA SecondaryDBs : GuptaC, GuptaB

I want to show a table with below details.

Primary DB StandyByDB

GuptaA GuptaC, GuptaB KumarA KumarC, KumarD, KumarE

Any suggestions using splunk search?

Thank you!

Please check if this helps. I had same issue. https://stackoverflow.com/a/44689711/5912209 — anu arora, Jun 22 '17 at 03:44

score 1 · Accepted Answer · answered Oct 10 '18 at 03:30

1

rex field=_raw "Primary Database (?<primary>\S+) .* standby database (?<standby>\S+)"
| table primary standby

answered Oct 10 '18 at 03:30

Simon Duff

2,631
2
7
15

Splunk: how to extract fields using regular expressions? like rex in splunk search

1 Answers1