DEV Community 👩‍💻👨‍💻

Maxime Guilbert
Maxime Guilbert

Posted on • Updated on

How to extract informations from log in Splunk?

When you are debugging an application, you may need to extract some data from logs (like an id in an URI...).

To help you to do that, Splunk has the rex command.

How does it work?


The simpliest way to use it is

| rex regex

With this command, you will search for an element in the whole log.

If you want to search in a specific field, add field= and the name of your field.

| rex field= regex


| rex field=uri *regex*
Enter fullscreen mode Exit fullscreen mode


About how to write the regex, you have to follow the next pattern

[Regex about the text before the desired value][Regex about the desired value][Regex about the text after the desired value]

The first and the last part are really look like a classic regex.
But the middle part is a little bit particular.


Wrote like this, you will declare the field where you want insert your new data and you have the regex corresponding to your value.

Also you can retrieve multiple datas from a single rex command.


Retrieve a username

| rex "user\s(?<username>\w+)\s"
Enter fullscreen mode Exit fullscreen mode

Retrieve the email sender and the destination of a mail

| rex field=_raw "From: <(?<from>.*)> To: <(?<to>.*)>"
Enter fullscreen mode Exit fullscreen mode


I hope it will help you! 🍺

Top comments (0)

🌚 Friends don't let friends browse without dark mode.

Good news! You can update to dark mode in your DEV settings.