Solved: What is the regular expression for my use case?

sravankaripe · ‎11-10-2016

i am unable to display dv_state="Closed Complete" from the data. please help me with REX for this use case.

dv_state="Closed Complete"
dv_state="Open"

gokadroid · ‎11-10-2016

I answered similar question that would have extracted all the "dv_" for you from your data but seems you had figured it out there:

https://answers.splunk.com/answers/475190/help-me-rex-extraction.html#answer-474189

However just for this state piece this is how u do it :

yourQuery to return the data
| rex "dv_state\=\"(?<state>[^\"]+)"
| table state

If you also want the dv_state= in the string as wel use this:

yourQuery to return the data
| rex "(?<stateField>dv_state\=)\"(?<state>[^\"]+)"
| eval myString=stateField."\"".state."\""
| table stateField, state, myString

View solution in original post

DarthDMader · ‎11-10-2016

rex "dv_state=\"(?<dv_state>[^\"]*)\""

Regular Expressions is a Language for it's own... there are many good creators for that.
online I often use regexr(dot)com
On Mac is regExRX a good choice

Kind regards
Darth

gokadroid · ‎11-10-2016

I answered similar question that would have extracted all the "dv_" for you from your data but seems you had figured it out there:

https://answers.splunk.com/answers/475190/help-me-rex-extraction.html#answer-474189

However just for this state piece this is how u do it :

yourQuery to return the data
| rex "dv_state\=\"(?<state>[^\"]+)"
| table state

If you also want the dv_state= in the string as wel use this:

yourQuery to return the data
| rex "(?<stateField>dv_state\=)\"(?<state>[^\"]+)"
| eval myString=stateField."\"".state."\""
| table stateField, state, myString

What is the regular expression for my use case?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor