Splunk Search

REGEX help

rpascua
Explorer

Please help with REGEX problem.

Sample Data:

Bank summary of John_Doe2/default (0.03 seconds): deposit (15 dollars, 0 cents), withdrawal (2 dollars, 0 cents).

This is the regex I use to extract the numbers. It works.

| rex "\sdeposit \((?<Deposit>\d+)" | rex "\s*withdrawal \((?<Withdrawal>\d+)" | table Deposit Withdrawal | addcoltotals

Now I want to include "Names" in my search and put them in one table along with the rest of the numbers. I tried the REGEX below, but I keep getting blanks in the "Name" column. What am I missing here?

| rex "\sof \((?<Name>\([A-Za-z0-9_])" | rex "\sdeposit \((?<Deposit>\d+)" | rex "\s*withdrawal \((?<Withdrawal>\d+)" | table Name Deposit Withdrawal | addcoltotals
Tags (1)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Try this:

| rex "\sof (?<Name>[A-Za-z0-9_]+)" | rex "\sdeposit \((?<Deposit>\d+)" | rex "\s*withdrawal \((?<Withdrawal>\d+)" | table Name Deposit Withdrawal | addcoltotals

There were some extra opening parentheses, and no + quantifier.

Note, if you can control that output it's easier to change it to key=value pairs - then you don't need to mess around with regular expressions for field extraction.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Try this:

| rex "\sof (?<Name>[A-Za-z0-9_]+)" | rex "\sdeposit \((?<Deposit>\d+)" | rex "\s*withdrawal \((?<Withdrawal>\d+)" | table Name Deposit Withdrawal | addcoltotals

There were some extra opening parentheses, and no + quantifier.

Note, if you can control that output it's easier to change it to key=value pairs - then you don't need to mess around with regular expressions for field extraction.

rpascua
Explorer

I posted a new question titled "Regex Money" so feel free to look it up and post your response.

Here's my new question:
If John took money out three times within a 24-hour period, using the REGEX below, I would have a 3-line output.

| rex "\sof (?[A-Za-z0-9_]+)" | rex "\sdeposit ((?\d+)" | rex "\s*withdrawal ((?\d+)" | table Name Deposit Withdrawal | addtotals Withdrawal "\s*withdrawal ((?\d+)"

But all I need is a one-liner like this:

John (Deposit: 0) (Withdrawal: 110) (Total Withdrawal: 110)

I tried multiple combinations but keep coming up emp

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Great. Don't forget to mark this as solved.

0 Karma

rpascua
Explorer

It's the little things. Thanks! It works!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...