Splunk Search

How can we extract a text in a new field

otman01
Communicator

Hi ,
I want to extract a part of a text in a new field, and it was very difficult for me .
this is an extract of my log file. what I want to extract is IKEA.

ABC5=/DATAINTER/PROJET/kls-NFS-TDF/nil_ano/input/asd_b1m3_QS_First_Request.IKEA.4578944.201504081236.xml

I tried somyhing like this but it give not a result

source="ok.txt" host="LPO6523" |rex field=_raw  "INF1=*.(?<DIST>.*).*.*.xml"

thank you for your help

Tags (2)
0 Karma
1 Solution

otman01
Communicator

The corret line that we have to put is

source="ok.txt" host="LPO6523" |rex field=_raw "ABC5=\/\w*\W*\/\w*\W*\/\w*\W*\w*\W*\w*\W*\w*\W*\w*\W*\w*\W*(?<DIST>.*).{20}xml"

those 2 links was very helpfull

http://blog.paumard.org/cours/java-api/chap03-expression-regulieres-syntaxe.html

https://regex101.com/

Thank you MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Sorry to say, but this is not the way you should use regex. If you're using a lot of this regex's on your search head, you will probably end in troubles.
Here is why, your regex tell Splunk to search for :

ABC5= matches the characters ABC5= literally (case sensitive)
\/ matches the character / literally
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\/ matches the character / literally
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\/ matches the character / literally
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
(?&lt;DIST&gt;.*) Named capturing group DIST
.* matches any character (except newline)
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
.{20} matches any character (except newline)
Quantifier: {20} Exactly 20 times
xml matches the characters xml literally (case sensitive)

There are far more optimized regex available to get only a part of a string. Maybe you should be more specific with your use case or provide more examples.

BTW: using your regex and your provided example it matches IKEA.4

cheers, MuS

PS: Sorry to make this an answer but the regex translation part is simply too long for a comment 😉

0 Karma

otman01
Communicator

Yes, I'm agree with you, butI found that is very difficult to make somthing that can be applicable to general case. But in my case it works perfectly whit this handling ( I used the regular expression that you send me befor 🙂 https://regex101.com/

Thank you MuS, have a nice day

0 Karma

otman01
Communicator

The corret line that we have to put is

source="ok.txt" host="LPO6523" |rex field=_raw "ABC5=\/\w*\W*\/\w*\W*\/\w*\W*\w*\W*\w*\W*\w*\W*\w*\W*\w*\W*(?<DIST>.*).{20}xml"

those 2 links was very helpfull

http://blog.paumard.org/cours/java-api/chap03-expression-regulieres-syntaxe.html

https://regex101.com/

Thank you MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi otman01,

based on your provided example you can use something like this:

 source="ok.txt" host="LPO6523" |rex field=_raw  "\.(?<DIST>\w+)\."

This will give you a field called DIST with the value IKEA

You can train your regex skills on site like this https://regex101.com or http://regexr.com

Hope this helps ...

cheers, MuS

0 Karma

otman01
Communicator

This is what I tried. I dont know how it changed.

source="ok.txt" host="LPO6523" |rex field=_raw "ABC5=//////.(?<DIST>.)..*.xml"

0 Karma

MuS
SplunkTrust
SplunkTrust

This will not work, because you have to escape the / in regex like this \/ also a * after the / will only match the / zero or multiple time (greedy match), you should use .* instead or .+

0 Karma

otman01
Communicator

ok I will trie and if I find some result I will post a correct answer

0 Karma

otman01
Communicator

there is a star between the //

0 Karma

MuS
SplunkTrust
SplunkTrust

This page uses the mark down coding, enter Splunk SPL in ``or use the101010` button to encode it 😉

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...