I'll preface my question by saying I've got zero experience with regular expressions, so don't be afraid to answer in small words to be read slowly by me.
I'm using Splunk to examine the event logs on some servers looking for details regarding application crashes with the following search:
index=main source=WinEventLog* Type=Error ComputerName=* SourceName="Application Error"
This search returns a "Message" field that contains text which begins like this:
Faulting application name: w3wp.exe, version: 7.5.7601.17514, time stamp: 0x4ce7afa2...
I'm trying to extract a field with just the application name information in it (in this case "w3wp.exe") without the colon and space before it, and without the comma after it. I have no idea how to leverage rex o do this, but I assume that's what I want to do. There are other strings I'll want to pull out from this as well, if that changes the syntax - for example, "Faulting module name" and "Faulting module path"
Any recommendations on how to do this field extraction (without modifying props.conf or other files right now) are appreciated.
splunk rex command, splunk rex examples, splunk rex field
Source: http://docphy.com/technology/computers/software/extract-text-field-rex.html
No comments:
Post a Comment