Splunk Search

Regex to extract from start until a specific character

Sukisen1981
Champion

I have a test field in a CSV called description:
Completed changes are not shown as complete in channels for a while Actualstart: 2017-05-15 06:40:34
I want to extract everything from the start of the string until I encounter Actualstart.
I do not know how long the sub string before Actualstart is going to be , but I need to extract from start until Actualstart is reached.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Sukisen1981,
try something like this

your_search
| rex "^(?<string>.*)Actualstart"
| ...

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Sukisen1981,
try something like this

your_search
| rex "^(?<string>.*)Actualstart"
| ...

Bye.
Giuseppe

0 Karma

Sukisen1981
Champion

nope Giuseppe ..doesn't work ..tried that before as well..BTW what does your rex mean? are you tying to extract FROM the description field or in general and i tied both options without luck.

0 Karma

gcusello
SplunkTrust
SplunkTrust

I tried it on regex101.com and it runs (see https://regex101.com/r/G6sRG9/1), could you share an example to test it again?
Anyway my regex says to take in "String" field all the chars from the beginning of the row until the word "Actualstart".
Bye.
Giuseppe

0 Karma

Sukisen1981
Champion

tomec error on mos order 4006, location is ok, but numberseries 24034800-4899 = 100 numbers has failed towards tomec.

Actual start: 2017-09-08 11:54:46

Business impact:

? Customers 100000 numbers is Down no Calls in or out.

here is a sample the description field. Now, the issue is not because of Actual start vs Actualstart...I had removed \s+ from description. Is it because of the space between the text and Actual Start?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi
The problem is the multi line, try this regex:

| rex "(?ms)^(?<string>.*)\s+Actual start"

and test it at https://regex101.com/r/G6sRG9/2
Bye.
Giuseppe

Sukisen1981
Champion

Hi,

It works now! thanks a lot . I had forgotten although in splunk it looks like there are no gaps, the description field is indeed multi lined.

Many thanks once again , I am accepting the answer

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This should do it.

... | rex field=description "(?<string>.*?)Actualstart" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

Sukisen1981
Champion

I tried that before, does not work. This is very simple and I have done more complex regex but this very obvious rex returns empty values for string...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The regex works fine on regex101.com. Can you share a complete event and your full query? Are you sure there is a field called 'description'?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Sukisen1981
Champion

tomec error on mos order 4006, location is ok, but numberseries 24034800-4899 = 100 numbers has failed towards tomec.

Actual start: 2017-09-08 11:54:46

Business impact:

? Customers 100000 numbers is Down no Calls in or out.

here is a sample the description field. Now, the issue is not because of Actual start vs Actualstart...I had removed \s+ from description. Is it because of the space between the text and Actual Start?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...