I need to do a field extraction for everything after the ) to the end of the first line. I've tried about every regex I can think of to signify EOL but nothing seems to work so far.
Here is an event sample:
2017-02-22T18:01:04 | Creating request for https://0.0.0.0/images/logo.gif (msecure.company.com) Mobile US Site1 VIP
2017-02-22T18:01:04 | Information SSL1399 - The certificate is valid.; Data: Mobile US Site1 VIP; URL: https://0.0.0.0/images/logo.gif; Domain: msecure.company.com; Expiration: 08/10/2018 08:00:00
So for this event I would want this field to be "Mobile US Site1 VIP".
I'm sure I'm messing something up. Thanks in advanced!
Hi, sorry if I misunderstood.
Is that a multiline event? If so, you should use this one:
.*?\)\s+(?P<description>.*?)\n
Hi, sorry if I misunderstood.
Is that a multiline event? If so, you should use this one:
.*?\)\s+(?P<description>.*?)\n
YES! That did it. Thanks!
@Jeck11, glad @jrballesteros05's answer provided a working solution to your question? Please don't forget to resolve this post by clicking "Accept".
This one seems to work for me:
.*?\)\s+(?P<description>.*)
Yeah. That's what I came up with when using an external site like https://www.regex101.com/. Unfortunately, when I try that in Splunk it begins at the correct spot but goes all the way to the end of the last line instead of stopping at the end of line 1.
So your example is a multi-line event? .... This might work: ^.[^)]+)\s+(?P.+)\n?
Is this what you are trying to do?
(?:^)(?:[^\)]+\)\s)(.+)
Your regex doesn't appear to select anything when I try it.
Here is the regex that Splunk gives me when I try and do it through the wizard:
^[^\)\n]*\)\s+(?P<description>\w+\s+\w+\s+\w+\s+\w+)
This will select anything up to a special character but the final field could have a dash ("-") in it and I can't control how long it is either.
This seems to work at: https://www.regex101.com/
^.[^)]+)\s+(?P.+)