Splunk Search

How do I write the regex to extract these 3 fields from my sample data?

adicoza786
Explorer

Hi,

I have the following sample field in my log.

filter=somename89898+20+O

I want to ideally extract 3 fields with + being separator, say:

name = somename89898
count = 20
state = O

However, + can also appear in the name, so I cannot use + to split, but here is what I know:

This will be in reverse (i.e. from last character):
The last character (one single character) of the field will always be an enum say {O or P}.
Previous to that, there will be one separator, and previous to that will be any number of digits.
Previous to that, there will be a separator, and anything that remains prior to that is the name field.

Another example to makes things clear:

filter=somename8+9898+20+O

Here, I want the following result:

name = somename8+9898
count = 20
state = O

Is there a way to achieve this?

Regards,
Aditya

0 Karma
1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

Edit:

Lisa's answer is better:

filter\=(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$



You bet !

https://regex101.com/r/vJ2bE4/1

View solution in original post

lguinn2
Legend

This forum may not be the best place to learn regular expressions, but I think this will do what you want

filter\=(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$

The above assumes that there is nothing on the line following the filter string. If you want to use this regular expression in a rex command, it would need to look like this

| rex field=filter "(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$"

aljohnson_splun
Splunk Employee
Splunk Employee

Edit:

Lisa's answer is better:

filter\=(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$



You bet !

https://regex101.com/r/vJ2bE4/1

adicoza786
Explorer

Thanks Iguinn.

0 Karma

adicoza786
Explorer

The following too worked for me -

rex field=filter (?.*)\+(?\d+)\+(?O)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...