- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Raw Text Rex Expression
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone could help me please.
I have a string of fields in my raw data in exactly the same format as below.
Address=Address Line 1=1 The Close,
Although I'm trying desperately to learn more about rex expressions, I'm struggling with what I'm trying to accomplish which is:
- Find the field 'Address Line 1
- Then ignore the '=' sign, and the last comma
- Extract the Address Line 1 date i.e. "1 The Close"
Could someone possibly have a look at this please and offer some guidance on how I may acheive this please.
Because I am very keen to learn from this, may I ask if an explanation could also be provided.
Many thanks and kindest regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi IRHM73,
I suggest to learn regex and use online tools like https://regex101.com where you can easily find the following regex will match your requirements:
your base search here | rex "Address\sLine\s1=(?<address>.*)," | do what ever you want with address
or you use the Splunk build in field extractor http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/ExtractfieldsinteractivelywithIFX
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi IRHM73,
I suggest to learn regex and use online tools like https://regex101.com where you can easily find the following regex will match your requirements:
your base search here | rex "Address\sLine\s1=(?<address>.*)," | do what ever you want with address
or you use the Splunk build in field extractor http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/ExtractfieldsinteractivelywithIFX
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MuS, thank you for taking the time to look at this post and come back to me with this.
The extract works, but it extracts the whole transaction which includes 'ip address' and host 'computer settings', rather than just the address Line 1 Data.
I'm currently looking at regex. Hopefully it will help.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's like yesterday, you're asking for something without providing enough information. Provide an real event, hide private information and the community can help you - otherwise, see my answer 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MuS thank you for this. I fully appreciate your comment. The problem I have is that the events include personal information, so I've been trying to make a post with the all the information needed without breaking data protection.
Many thanks and kind regards.
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rex "Address Line1=(?<address>[^,]*)"
The regex just looks for everything except a comma ([^,]*) that comes after Address Line 1=, and saves it into the field address
I hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sduff, this is great, it works a treat.
Kind Regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sduff, thank you for coming back to me with this.
Please find an example of the full date string below:
Address=Address Line 1=1 The Street, Address Line 2=The Town, Address Line 3=, Address Line 4=, PostCode=AB1 2CD,
I hope this helps.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rex "Address Line 1=(?<address>[^,]*)"
Needed a space between Line and 1. I've tested this and it works for me.
You probably need several rex (or you could combine them all into a single rex) to get all the lines.
| rex "Address Line 1=(?<address1>[^,]*)"
| rex "Address Line 2=(?<address2>[^,]*)"
| rex "Address Line 3=(?<address3>[^,]*)"
| rex "Address Line 4=(?<address4>[^,]*)"
| rex "PostCode=(?<address_postcode>[^,]*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sduff, thank you very much for this.
Although I'm no longer receiving an error message, I'm still unable to extract the information.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I suggest you provide some examples of the data you're having trouble with. Its a fairly simple regex,, it shouldn't be too complicated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sduff, thank you for taking the time to reply to my post.
Unfortunately, when I run this I recieve the following error:
Error in 'rex' command: Encountered the following error while compiling the regex 'Address Line1=(?.*)': Regex: unrecognized character after (? or (?-
May I also provide you with more details.
After 'Address=Address Line 1=1 The Close' there is a comma which separates this line and the second address line. I don't know whether this helps.
I've updated my original post to reflect this.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've updated my answer to show the code a bit clearer. It also reads everything except a comma, so it will stop when it reaches there.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
