Splunk Search

How do I use regex to extract value in parenthesis preceded by parenthesis?

aramakrishnan
New Member

I have the following log(s) from which I want to extract the value inside the parenthesis. The parenthesis field is preceded by 2 other values in parenthesis, and is followed by the statement "No activation date"

{2015-09-24} {465456] [N1234SYS04] No activation date and no log bytes available.

I would like to extract the value in the 3rd paranethesis (i.e. N1234SYS04) as it is a valuable ID field that is not getting parsed into a field on Splunk. I'd like to use the regex command but I'm not sure what my syntax should be (rex field = _raw(......))

Any help would be great. Thanks!

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi aramakrishnan,

you can try this regex:

your base search here | rex field=_raw "\[(?<ID>[^\]]*)" | do further splunk fu with ID

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi aramakrishnan,

you can try this regex:

your base search here | rex field=_raw "\[(?<ID>[^\]]*)" | do further splunk fu with ID

Hope this helps ...

cheers, MuS

aramakrishnan
New Member

This extracts the field but the issue is that there are actually 2 other fields that are preceded by the field I want, which also have the same format i.e. [2015-09-24][465456][N1234SYS04]. Using the rex syntax you provided pulls information from the first one, but I want it from the 3rd parenthesis (i.e. I want the field to only show N1234SYS04, but currently its showing 2015-09-24). How can I specify which parenthesis I want to start the extraction from?

0 Karma

wrangler2x
Motivator

The original example you gave shows {} for the first, {] for the second, and [] for the third. With that data sample @Mus rex would work perfectly.

If in fact you have [] [] [] then you can modify Mus rex this way:

... | rex field=_raw "\[.*?\]\s+\[.*?\]\s+\[(?<ID>[^\]]*)" | stats count by ID

aramakrishnan
New Member

Thank you so much @wrangler2x and @Mus. That worked perfectly.

0 Karma

MuS
SplunkTrust
SplunkTrust

tested and working with this regex:

/opt/splunk/bin/splunk cmd pcregextest mregex="(\[[^\]]*\]){2}\[(?<ID>[^\]]*)" test_str="[2015-09-24][465456][N1234SYS04]. 
> "

Original Pattern: '(\[[^\]]*\]){2}\[(?<ID>[^\]]*)'
Expanded Pattern: '(\[[^\]]*\]){2}\[(?<ID>[^\]]*)'
Regex compiled successfully. Capture group count = 2. Named capturing groups = 1.
SUCCESS - match against: '[2015-09-24][465456][N1234SYS04]. 
'

#### Capturing group data ##### 
Group |            Name | Value
--------------------------------------
    1 |                 | [465456]
    2 |              ID | N1234SYS04

so use it like this:

your base search here | rex field=_raw "(\[[^\]]*\]){2}\[(?<ID>[^\]]*)" | ...
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...