Splunk Search

How do I write the regex to extract these 3 fields from my sample data?

adicoza786
Explorer

Hi,

I have the following sample field in my log.

filter=somename89898+20+O

I want to ideally extract 3 fields with + being separator, say:

name = somename89898
count = 20
state = O

However, + can also appear in the name, so I cannot use + to split, but here is what I know:

This will be in reverse (i.e. from last character):
The last character (one single character) of the field will always be an enum say {O or P}.
Previous to that, there will be one separator, and previous to that will be any number of digits.
Previous to that, there will be a separator, and anything that remains prior to that is the name field.

Another example to makes things clear:

filter=somename8+9898+20+O

Here, I want the following result:

name = somename8+9898
count = 20
state = O

Is there a way to achieve this?

Regards,
Aditya

0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

Edit:

Lisa's answer is better:

filter\=(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$



You bet !

https://regex101.com/r/vJ2bE4/1

View solution in original post

lguinn2
Legend

This forum may not be the best place to learn regular expressions, but I think this will do what you want

filter\=(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$

The above assumes that there is nothing on the line following the filter string. If you want to use this regular expression in a rex command, it would need to look like this

| rex field=filter "(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$"

aljohnson_splun
Splunk Employee
Splunk Employee

Edit:

Lisa's answer is better:

filter\=(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$



You bet !

https://regex101.com/r/vJ2bE4/1

adicoza786
Explorer

Thanks Iguinn.

0 Karma

adicoza786
Explorer

The following too worked for me -

rex field=filter (?.*)\+(?\d+)\+(?O)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...