Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use rex out the below text ?

m7787580
Explorer
‎05-23-2017 07:38 AM

Full or partial cease : </strung></td> <td width="100%" galign="top" >Full<

I would like to extract the below text using rex command and save it in field as cease in the below example ?
Starting after cease of Full or partial cease and ending where is the last character.here it is &It;

It will look like below.
Cease= </strung></td> <td width="100%" galign="top" >Full<

Help would be highly appreciated

Regards,

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-23-2017 08:48 AM

Like this:

... | rex "Full or partial cease\s*:\s*(?<Cease>.*)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

damiensurat
Contributor
‎05-24-2017 06:40 AM

Hi m7787580, Depending on the format of the search string, one or all of these should work. I would like to point out that when using the rex command, it is good to indicate which field you intend on extracting data from. For EG: rex field=MyHTMLStringData ".Cease=.>(?\w*)<"

These are the rex without the field parameter defined, but you can put it in at any point. Have a great day =)...

... | rex ".Cease=.>(?\w*)<"

OR 


... | rex "Full or partial cease Cease=.*>(?<Cease>\w*)<"


OR


... | rex ">(?<Cease>\w*)<"
0 Karma
Reply
Solved! Jump to solution

damiensurat
Contributor
‎05-24-2017 05:52 AM 
... | rex" Full or partial cease Cease=.*>(?<Cease>\w*)<"
0 Karma
Reply
Solved! Jump to solution

m7787580
Explorer
‎05-24-2017 04:29 AM

Hi All,
There is sudden change i requirement now i have to fetch only >Full< from the text mentioned above.

New field= >Full<

I tried but its not working for me.

Many thanks in advance

0 Karma
Reply
Solved! Jump to solution

damiensurat
Contributor
‎05-24-2017 04:47 AM 
... | rex "Full or partial cease\s*:\s*Cease=.*>(?\w*)<"
0 Karma
Reply
Solved! Jump to solution

m7787580
Explorer
‎05-24-2017 05:35 AM

I am getting below error.

Error in 'rex' command: Encountered the following error while compiling the regex 'Full or partial cease\s*:\s*Cease=.>(?\w)<': Regex: unrecognized character after (? or (?-

0 Karma
Reply
Solved! Jump to solution

damiensurat
Contributor
‎05-24-2017 04:52 AM

Please remember to Hit accepted answer and the up arrow.... thanks and have a great day. Hope it helped...

0 Karma
Reply
Solved! Jump to solution

m7787580
Explorer
‎05-24-2017 05:39 AM

I tried to use your below query

rex "Full or partial cease\s*:\s*Cease=.>(?\w)<"|table NewFieldName

But it's not giving me any result.
Thanks for your help in advance

0 Karma
Reply
Solved! Jump to solution

m7787580
Explorer
‎05-24-2017 05:55 AM

this is the exact full text

Full or partial cease : </strong></td>
<td width="60%" valign="top"
>Full</td>
</tr>

0 Karma
Reply
Solved! Jump to solution

damiensurat
Contributor
‎05-24-2017 06:30 AM

Perfect, one other question... Is this event in a single string format, or is it logged with line breaks?

0 Karma
Reply
Solved! Jump to solution

m7787580
Explorer
‎05-24-2017 06:43 AM

I guess it is logged with line breaks

0 Karma
Reply
Solved! Jump to solution

damiensurat
Contributor
‎05-24-2017 06:50 AM 
    Hi  m7787580,  Depending on the format of the search string, one or all of these should work.  I would like to point out that when using the rex command, it is good to indicate which field you intend on extracting data from.  For EG: rex field=MyHTMLStringData ".*Cease=.*>(?<Cease>\w*)<"

    These are the rex without the field parameter defined, but you can put it in at any point.  Have a great day =)...

     ... | rex ".*Cease=.*>(?<Cease>\w*)<"


        OR 


        ... | rex "Full or partial cease Cease=.*>(?<Cease>\w*)<"


        OR


        ... | rex ">(?<Cease>\w*)<"
0 Karma
Reply
Solved! Jump to solution

damiensurat
Contributor
‎05-24-2017 05:54 AM

sorry about that, I entered as text and not code and some bits were removed. I have resubmitted as an answer, which is what you are looking for. Should be available shortly.

0 Karma
Reply
Solved! Jump to solution

m7787580
Explorer
‎05-24-2017 06:13 AM

Thanks for helping.
I am gladly waiting for your answer 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-23-2017 08:48 AM

Like this:

... | rex "Full or partial cease\s*:\s*(?<Cease>.*)"
0 Karma
Reply
Solved! Jump to solution

m7787580
Explorer
‎05-24-2017 04:29 AM

Hi Woodcock,

There is sudden change i requirement now i have to fetch only >Full< from the text mentioned above.

New field= >Full<

I tried but its not working for me.

Many thanks in advance

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-24-2017 07:18 AM

So your data is like this:

Full or partial cease : </strong></td> 
<td width="60%" valign="top" 
>Full</td> 
</tr>

So try this:

| makeresults 
| eval _raw="Full or partial cease : </strong></td> 
<td width=\"60%\" valign=\"top\" 
>Full</td> 
</tr>"

| rename COMMENT AS "Everything above fakes test data; everything below is your solution"

| rex "(?ms)Full or partial cease\s*:\s*.*?<td.*?>(?<MyValue>.*?)</td>"
0 Karma
Reply
Solved! Jump to solution

damiensurat
Contributor
‎05-24-2017 07:54 AM

nice use of makeresults woodcock!

Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...