Hi ,
I want to extract a part of a text in a new field, and it was very difficult for me .
this is an extract of my log file. what I want to extract is IKEA.
ABC5=/DATAINTER/PROJET/kls-NFS-TDF/nil_ano/input/asd_b1m3_QS_First_Request.IKEA.4578944.201504081236.xml
I tried somyhing like this but it give not a result
source="ok.txt" host="LPO6523" |rex field=_raw "INF1=*.(?<DIST>.*).*.*.xml"
thank you for your help
The corret line that we have to put is
source="ok.txt" host="LPO6523" |rex field=_raw "ABC5=\/\w*\W*\/\w*\W*\/\w*\W*\w*\W*\w*\W*\w*\W*\w*\W*\w*\W*(?<DIST>.*).{20}xml"
those 2 links was very helpfull
http://blog.paumard.org/cours/java-api/chap03-expression-regulieres-syntaxe.html
Thank you MuS
Sorry to say, but this is not the way you should use regex. If you're using a lot of this regex's on your search head, you will probably end in troubles.
Here is why, your regex tell Splunk to search for :
ABC5= matches the characters ABC5= literally (case sensitive)
\/ matches the character / literally
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\/ matches the character / literally
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\/ matches the character / literally
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
(?<DIST>.*) Named capturing group DIST
.* matches any character (except newline)
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
.{20} matches any character (except newline)
Quantifier: {20} Exactly 20 times
xml matches the characters xml literally (case sensitive)
There are far more optimized regex available to get only a part of a string. Maybe you should be more specific with your use case or provide more examples.
BTW: using your regex and your provided example it matches IKEA.4
cheers, MuS
PS: Sorry to make this an answer but the regex translation part is simply too long for a comment 😉
Yes, I'm agree with you, butI found that is very difficult to make somthing that can be applicable to general case. But in my case it works perfectly whit this handling ( I used the regular expression that you send me befor 🙂 https://regex101.com/
Thank you MuS, have a nice day
The corret line that we have to put is
source="ok.txt" host="LPO6523" |rex field=_raw "ABC5=\/\w*\W*\/\w*\W*\/\w*\W*\w*\W*\w*\W*\w*\W*\w*\W*\w*\W*(?<DIST>.*).{20}xml"
those 2 links was very helpfull
http://blog.paumard.org/cours/java-api/chap03-expression-regulieres-syntaxe.html
Thank you MuS
Hi otman01,
based on your provided example you can use something like this:
source="ok.txt" host="LPO6523" |rex field=_raw "\.(?<DIST>\w+)\."
This will give you a field called DIST
with the value IKEA
You can train your regex skills on site like this https://regex101.com or http://regexr.com
Hope this helps ...
cheers, MuS
This is what I tried. I dont know how it changed.
source="ok.txt" host="LPO6523" |rex field=_raw "ABC5=//////.(?<DIST>.)..*.xml"
This will not work, because you have to escape the /
in regex like this \/
also a *
after the /
will only match the /
zero or multiple time (greedy match), you should use .*
instead or .+
ok I will trie and if I find some result I will post a correct answer
there is a star between the //
This page uses the mark down coding, enter Splunk SPL in ``or use the
101010` button to encode it 😉