Splunk Search

Why is my rex command not extracting the field from my data?

Laya123
Communicator

Hi,

My rex is not giving any results. I want to extract "XXX" from the below highlighted area. I used

rex field=_raw "\"CommO\" type=\"string\"\>\<\!\[CDATA\[(?<Owner>.*)\] - "

but not giving any results.

name="activationtype" type="string"><![CDATA[Activate]]></Property><Property name="Label" type="string"><![CDATA[r315107961a]]></Property><Property name="Description" type="string"><![CDATA[315107961 Verbreitung der Altersvorsorge 2015]]></Property><Property name="CommO" type="string"><![CDATA[XXX]]></Property><Property name="CommissioningCountry" type="string"><![CDATA[DEU--Germany]]></Property><Property name="groupname" type="string"><![CDATA[]]></Property><Property name="cluster" type="string"><![CDATA[Slo-V]]></Property><Property name="clientid"

Thanks in advance

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi Laya123,

you got it almost correct 😉 Just remove the trailing - and add a ? and it's good....like this:

... | rex field=_raw "\"CommO\" type=\"string\"\>\<\!\[CDATA\[(?<Owner>.*?)\]" | ...

cheers, MuS

View solution in original post

krishnacasso
Path Finder

The term CDATA comes from the SGML world, which is the complex predecessor of XML. The term is short for Character Data and means that the data contains of characters, and should not be parsed. Tags, entities, attributes, processing instructions inside CDATA are treated as text, not as XML elements.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Laya123,

you got it almost correct 😉 Just remove the trailing - and add a ? and it's good....like this:

... | rex field=_raw "\"CommO\" type=\"string\"\>\<\!\[CDATA\[(?<Owner>.*?)\]" | ...

cheers, MuS

Laya123
Communicator

Thank you so much. Its working

0 Karma

Laya123
Communicator

Can you explain me. why we have to use '?'

Thank you in advance

0 Karma

aholzel
Communicator

the ? makes the regex non greedy but it is better to use the solution posted below by @somesoni2 that is more efficient. it takes less steps to find the match, it the data between the CDATA brackets gets longer the impact on the searchhead of the solution below is less than this solution.

HattrickNZ
Motivator

this any good?
https://regex101.com/r/lN5sA6/1

think this would translate into something like:
rex field="CDATA\[(?P[X]..)"

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this (used your sample data as input)

| gentimes start=-1 | eval temp="name=\"activationtype\" type=\"string\"><\!\[CDATA\[(?[^\]]*)\]"

aholzel
Communicator

+1 for using [^\]] this is way more efficient than .*?

MuS
SplunkTrust
SplunkTrust

You're right this would be better, if it would work. This is more likely to work:

| gentimes start=-1 | eval temp="name=\"activationtype\" type=\"string\"><![CDATA[Activate]]></Property><Property name=\"Label\" type=\"string\"><![CDATA[r315107961a]]></Property><Property name=\"Description\" type=\"string\"><![CDATA[315107961 Verbreitung der Altersvorsorge 2015]]></Property><Property name=\"CommO\" type=\"string\"><![CDATA[XXX]]></Property><Property name=\"CommissioningCountry\" type=\"string\"><![CDATA[DEU--Germany]]></Property><Property name=\"groupname\" type=\"string\"><![CDATA[]]></Property><Property name=\"cluster\" type=\"string\"><![CDATA[Slo-V]]></Property><Property name=\"clientid\"" | rex field=temp "\"CommO\" type=\"string\"><\!\[CDATA\[(?<Owner>[^\]]*)\]"
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...