Solved: Regex to capture values

xvxt006 · ‎09-27-2015

Hi,

I have events like below. I need to extract 4EU56, 4YB2. the number of lines between statictext and Y-EER-RTY would vary.
Sometimes I might not have anything, sometimes they could be 10, and sometimes they could be some other number.
In the example below, I gave 2. So how can I get all of them between, and | for all of them till Y-EER-RTY?

statictext
,4EU56|1|1|456|anotherstatictext
,4YB2|1|1|946|200930||||S_NW|anotherstatictext
 Y-EER-RTY

MuS · ‎09-27-2015

Hi xvxt006,

based on the provided example you can use this regex:

base search here | rex max_match=0 "^,(?<myField>[^|]*)" | table myField

This will get everything between all lines starting with , until the next |

Update:

based on the comments below, this is the correct answer

Okay, try this regex it will use shippingResponse= or , which is not followed by a ] as left boundary and the next | as right

 (?:shippingResponse=|,)(?!\])(?<myField>[^\|]+)

Works on regex101.com with your provided examples and returns the following matches:

 MATCH 1
 myField    [94-100]    `12R071`
 MATCH 2
 myField    [159-165]    `12R095`
 MATCH 3
 myField    [224-230]    `12R090`
 MATCH 4
 myField    [289-295]    `12R078`

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎09-27-2015

Hi xvxt006,

based on the provided example you can use this regex:

base search here | rex max_match=0 "^,(?<myField>[^|]*)" | table myField

This will get everything between all lines starting with , until the next |

Update:

based on the comments below, this is the correct answer

Okay, try this regex it will use shippingResponse= or , which is not followed by a ] as left boundary and the next | as right

 (?:shippingResponse=|,)(?!\])(?<myField>[^\|]+)

Works on regex101.com with your provided examples and returns the following matches:

 MATCH 1
 myField    [94-100]    `12R071`
 MATCH 2
 myField    [159-165]    `12R095`
 MATCH 3
 myField    [224-230]    `12R090`
 MATCH 4
 myField    [289-295]    `12R078`

Hope this helps ...

cheers, MuS

xvxt006 · ‎09-28-2015

Thank you. This gives me an idea on how to tackle some other scenarios. Can you make this as Answer. don't have permissions to do that..

MuS · ‎09-28-2015

update ping; modified the answer to be correct now

xvxt006 · ‎09-27-2015

Basically i am looking for shippingResponse= or , as left boundaries and | as the right boundary. That would give me
12R071,12R095,12R090,12R078

MuS · ‎09-28-2015

Okay, try this regex it will use shippingResponse= or , which is not followed by a ] as left boundary and the next | as right

(?:shippingResponse=|,)(?!\])(?<myField>[^\|]+)

Works on regex101.com with your provided examples and returns the following matches:

MATCH 1
myField [94-100]    `12R071`
MATCH 2
myField [159-165]   `12R095`
MATCH 3
myField [224-230]   `12R090`
MATCH 4
myField [289-295]   `12R078`

xvxt006 · ‎09-27-2015

Hi Michael,

this gives better results but still there is unwanted text. Just trying to understand what you wrote in that expression.
Does this (?!,])[=,] mean that either either "=" or "," cannot not be preceeded by "," or "]"

is there an email i can send you what i am seeing?

xvxt006 · ‎09-27-2015

Hi MuS, static test i mentioned has "," in it. So that won't work.

Here is more realistic example of the event. I need 12R095,12R090,12R078

|ItemBranch:|FulfillingBranch:|S|Line#:|GenMessage:Y|ShipMode:GR|ShipDate:,] shippingResponse=12R071|1|1|005|20150930||||S_NW|standard.ship.stocked.available
,12R095|1|1|002|20150929||||S_NW|standard.ship.stocked.available
,12R090|1|1|003|20151001||||S_NW|standard.ship.stocked.available
,12R078|1|1|005|20150930||||S_NW|standard.ship.stocked.available
Y-EER-RTY

MuS · ‎09-27-2015

Try this :

base search here | rex max_match=0 "(?!,\])[=,](?<myField>[^|]*)" | table myField

Regex to capture values

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms