Splunk Search

Raw Text Rex Expression

IRHM73
Motivator

Hi, I wonder whether someone could help me please.

I have a string of fields in my raw data in exactly the same format as below.

Address=Address Line 1=1 The Close,

Although I'm trying desperately to learn more about rex expressions, I'm struggling with what I'm trying to accomplish which is:

  • Find the field 'Address Line 1
  • Then ignore the '=' sign, and the last comma
  • Extract the Address Line 1 date i.e. "1 The Close"

Could someone possibly have a look at this please and offer some guidance on how I may acheive this please.

Because I am very keen to learn from this, may I ask if an explanation could also be provided.

Many thanks and kindest regards

Chris

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi IRHM73,

I suggest to learn regex and use online tools like https://regex101.com where you can easily find the following regex will match your requirements:

your base search here | rex "Address\sLine\s1=(?<address>.*)," | do what ever you want with address

or you use the Splunk build in field extractor http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/ExtractfieldsinteractivelywithIFX

cheers, MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi IRHM73,

I suggest to learn regex and use online tools like https://regex101.com where you can easily find the following regex will match your requirements:

your base search here | rex "Address\sLine\s1=(?<address>.*)," | do what ever you want with address

or you use the Splunk build in field extractor http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/ExtractfieldsinteractivelywithIFX

cheers, MuS

0 Karma

IRHM73
Motivator

Hi @MuS, thank you for taking the time to look at this post and come back to me with this.

The extract works, but it extracts the whole transaction which includes 'ip address' and host 'computer settings', rather than just the address Line 1 Data.

I'm currently looking at regex. Hopefully it will help.

Many thanks and kind regards

Chris

0 Karma

MuS
SplunkTrust
SplunkTrust

It's like yesterday, you're asking for something without providing enough information. Provide an real event, hide private information and the community can help you - otherwise, see my answer 😉

IRHM73
Motivator

Hi @MuS thank you for this. I fully appreciate your comment. The problem I have is that the events include personal information, so I've been trying to make a post with the all the information needed without breaking data protection.

Many thanks and kind regards.

Chris

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee
rex "Address Line1=(?<address>[^,]*)"

The regex just looks for everything except a comma ([^,]*) that comes after Address Line 1=, and saves it into the field address

I hope this helps

IRHM73
Motivator

Hi @sduff, this is great, it works a treat.

Kind Regards

Chris

0 Karma

IRHM73
Motivator

Hi @sduff, thank you for coming back to me with this.

Please find an example of the full date string below:

Address=Address Line 1=1 The Street, Address Line 2=The Town, Address Line 3=, Address Line 4=, PostCode=AB1 2CD,

I hope this helps.

Many thanks and kind regards

Chris

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee
rex "Address Line 1=(?<address>[^,]*)"

Needed a space between Line and 1. I've tested this and it works for me.

You probably need several rex (or you could combine them all into a single rex) to get all the lines.

| rex "Address Line 1=(?<address1>[^,]*)"
| rex "Address Line 2=(?<address2>[^,]*)"
| rex "Address Line 3=(?<address3>[^,]*)"
| rex "Address Line 4=(?<address4>[^,]*)"
| rex "PostCode=(?<address_postcode>[^,]*)"

IRHM73
Motivator

Hi @sduff, thank you very much for this.

Although I'm no longer receiving an error message, I'm still unable to extract the information.

Many thanks and kind regards

Chris

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

Can I suggest you provide some examples of the data you're having trouble with. Its a fairly simple regex,, it shouldn't be too complicated.

IRHM73
Motivator

Hi @sduff, thank you for taking the time to reply to my post.

Unfortunately, when I run this I recieve the following error:

Error in 'rex' command: Encountered the following error while compiling the regex 'Address Line1=(?.*)': Regex: unrecognized character after (? or (?-

May I also provide you with more details.

After 'Address=Address Line 1=1 The Close' there is a comma which separates this line and the second address line. I don't know whether this helps.

I've updated my original post to reflect this.

Many thanks and kind regards

Chris

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

I've updated my answer to show the code a bit clearer. It also reads everything except a comma, so it will stop when it reaches there.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...