- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Finding first occurrence of matching beginning anc...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to create a regex field extraction to deal with odd events where the same string exists multiple times before my end anchor after same begin anchors.
rough example:
<ExternalErrorDescription>A bunch of random stuff</ExternalErrorDescription><ExternalErrorDescription>more stuff</ExternalErrorDescription><ExternalErrorDescription>WHAT I WANT TO EXTRACT 
The text between the last <ExternalErrorDescription> and is what I want to extract. The problem is its always grabbing everything as it matches the first <ExternalErrorDescription> up to my end anchor. I can't figure out the syntax to match the last occurance of the beginning string anchor and end anchor.
This is what I have currently
(?i)ExternalErrorDescription>(?P<ExternalErrorDescription>.*?)\&\#xD;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
.*ExternalErrorDescription>(?<ExternalErrorDescription>.*?)\&\#xD;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
.*ExternalErrorDescription>(?<ExternalErrorDescription>.*?)\&\#xD;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
unfortunately this is still matching everything after the first match of
ExternalErrorDescription>
.*ExternalErrorDescription>(?<ExternalErrorDescription>.*?)\&\#xD;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested it on your data and it works; try again:
... | rex ".*ExternalErrorDescription>(?<ExternalErrorDescription>.*)\&\#xD;" | fields ExternalErrorDescription
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting, so that does work inline with the search, but I am trying to create a field extraction in settings for this, and it wont work when set the exact same way there. any ideas on how to make that work as a field extraction?
(?i).*ExternalErrorDescription>(?<ExternalErrorDescription>.*)\&\#xD;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got this working, for some reason I had to add a ? in my declaration. The below now works automatically in field extractions.
(?i).*<ns1:ExternalErrorDescription>(?<ExternalErrorDescription>.*?)\&\#xD;
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't forget to "Accept" the answer.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
