Solved: rex, Extract information between two slashes and b...

fklink · ‎10-18-2016

Hi,

i have information like: "DESCRIPTION EMEA:GERMANY:FRANKFURT / client4711 / down"
where DESCRIPTION is a field, already. I would like to rex the information "client4711".
This should be done by rex all information which starts which "/" followed by one "blank" "client4711" one "blank" followed by "/".

Could you anwer my question, please?
Many thanks in advance.
floe.

gokadroid · ‎10-19-2016

Try this which will cover all clients, basically everything between blank and blank:

... | rex field=DESCRIPTION "\/\s(?<client>\S+)\s\/" | ...

View solution in original post

gokadroid · ‎10-19-2016

Try this which will cover all clients, basically everything between blank and blank:

... | rex field=DESCRIPTION "\/\s(?<client>\S+)\s\/" | ...

fklink · ‎10-19-2016

Many thanks. Looks better 🙂

i see some clients, now. Unfortunately, if a client includes one or more "-" splunk doesn't extract the information.

Example:
client4711- works 🙂
client8888 - works 🙂
client-4711 splunk doesn't extract the information
client-47-12-21 splunk doesn't extract the information

Is there a way to tell rex "extract everything between /blank /blank?

Many thanks in advance
floe.

richgalloway · ‎10-19-2016

Try this:

... | rex field=DESCRIPTION "\/\s(?<client>\w+)\s\/" | ...

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎10-19-2016

Here's an update based on your comment.

... | rex field=DESCRIPTION "\/\s(?<client>[^\s]+)\s\/" | ...

---
If this reply helps you, Karma would be appreciated.

inventsekar · ‎10-19-2016

check this one..
your search | rex field=_raw "\/\s(?<ClientNumber>\w+\d+)\s\/" | table ClientNumber

rex, Extract information between two slashes and blanks

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms