I have four regular expressions which I would like to use for one query. All the regular expressions are okay for itselves but I did not find out how to use them in pne query together:
These are the regular expressions:
Expression 1:
(?<time>\d{4}.\d{2}.\d{2}\s\d{2}.\d{2}.\d{2}.\d{3})
Expression 2:
deviceId...(?<deviceId>\d+)
Expression 3:
error....code...(?<errorCode>\w+)
Expression 4:
"\"message...(?<errorMessage>.*?)\"
And I tried this among some other things in Splunk:
source="xyz.log" |rex field=_raw "(?<time>\d{4}.\d{2}.\d{2}\s\d{2}.\d{2}.\d{2}.\d{3}) deviceId...(?<deviceId>\d+) error....code...(?<errorCode>\w+) "\"message...(?<errorMessage>.*?)\"" |table time deviceId errorCode errorMessage
But I got an error.
You might be able to combine the regexes using the OR | operator, but it's far easier to use multiple rex commands. Using multiple commands has the advantage of allowing the keywords to be order-independent.
source="xyz.log"
|rex field=_raw "(?<time>\d{4}.\d{2}.\d{2}\s\d{2}.\d{2}.\d{2}.\d{3})"
|rex "deviceId...(?<deviceId>\d+)"
|rex "error....code...(?<errorCode>\w+)"
|rex "\\\"message...(?<errorMessage>.*?)\\\""
|table time deviceId errorCode errorMessage