How to develop a regular expression to use with a ...

hegeman1982 · ‎12-21-2016

I am trying to come up with a regular expression to use with the field extractor that would return the value of a string between two strings. The basic formatting is the following:

[nls-string-val raw="Temperature (1) - Rack 4 Back Door Top">Temperature (1) - Rack 4 Back Door Top[/nls-string-val]

I would want the field extractor regex to return the following: Temperature (1) - Rack 4 Back Door Top">Temperature (1) - Rack 4 Back Door Top

*the '[' symbols above are actually '<' symbols but this forum would not let me post links. *
I was trying to use lookbehind and lookahead but was not having any success.

Any tips for how to accomplish this? The REGEX I have tried is "[nls-string-val raw="(.*)<\/nls-string-val>) and it doesn't work"

aaraneta_splunk · ‎12-21-2016

@hegeman1982 - Just so you know, there is special markup language on this site so certain symbols will transform your post, such as the < symbols. If you wish to show the < (i.e. you are displaying sample code or regular expressions), simply click on the Code Sample icon to the right of the Blockquote icon in the formatting toolbar.

somesoni2 · ‎12-21-2016

Give this a try (test it in a search using inline rex command before putting in props.conf)

your base search | rex "nls-string-value raw=\"(?<FieldName>[^\<]+)\<\/nls-string-val"

How to develop a regular expression to use with a field extraction?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!