Extract value until specified char &

saifullakhalid · ‎11-20-2017

I want to extract value until the first occurrence of char &

My log :

?pyActivity=FinishAssig&pzPrimaryPageName=pyWorkPage&pzTransactionId=xxxxx&pzFromFrame=pyWorkPage HTTP/1.1" 200 1383

?pyActivity=Sh-Harness&Purpose=Perform&SkipFrame=true&TaskIndex=1&HarnessMode=ACTION&TaskValue=CAIXXXr_____CA&TaskHTML=CAXXX&ReadOnly=-1&FrameName=pyWorkPage&pzPrimaryPageName=pyWorkPage HTTP/1.1" 200 14547

?pyActivity=Data-Por.Get&IsBMLogin=true&inStandardsMode=false&AJAXTrackID=1&pzHarnessID=HIDXXXXHTTP/1.1" 200 10

expected output:

FinishAssig
Sh-Harness
Data-Por.Get

I tried below but it dint work, it will extract values until last occurance of char &
rex field=_raw "\?pyActivity=(?.+)&"

mtulett_splunk · ‎11-21-2017

Try using: rex field=_raw "pyActivity=(?<pyActivity>.+?)&"

This will match as few characters as possible up to the first ampersand. The question mark after the plus sign is what makes this happen. You also need to name the field in the extraction, which is the ?<pyActivity> portion of the regex.

niketn · ‎11-20-2017

Ideally Splunk should extract key value pair on its own from your _raw data provided KV_MODE=none has not been set explicitly in props.conf. Have you run the search in SMART or VERBOSE mode to check Interesting Fileds list to confirm whether Search Time Field Discovery is working as expected or not?

During search time you can also do this via KV command or extract command by passing yourkvdelimandpairdelim(besides therexcommand which is already shared). Following are two run anywhere searches based on your data (PS: Commands till| rename` are used to mock the sample data provided in the question. You can add the KV or extract command directly after your base search filter :

|  makeresults
|  eval data="?pyActivity=FinishAssig&pzPrimaryPageName=pyWorkPage&pzTransactionId=xxxxx&pzFromFrame=pyWorkPage HTTP/1.1\" 200 1383;
?pyActivity=Sh-Harness&Purpose=Perform&SkipFrame=true&TaskIndex=1&HarnessMode=ACTION&TaskValue=CAIXXXr_____CA&TaskHTML=CAXXXℜadOnly=-1&FrameName=pyWorkPage&pzPrimaryPageName=pyWorkPage HTTP/1.1\" 200 14547;
?pyActivity=Data-Por.Get&IsBMLogin=true&StandardsMode=false&AJAXTrackID=1&pzHarnessID=HIDXXXXHTTP/1.1\" 200 10"
|  makemv data delim=";"
|  mvexpand data
|  rename data as _raw
|  KV
|  table * _raw

OR the following:

|  makeresults
|  eval data="?pyActivity=FinishAssig&pzPrimaryPageName=pyWorkPage&pzTransactionId=xxxxx&pzFromFrame=pyWorkPage HTTP/1.1\" 200 1383;
?pyActivity=Sh-Harness&Purpose=Perform&SkipFrame=true&TaskIndex=1&HarnessMode=ACTION&TaskValue=CAIXXXr_____CA&TaskHTML=CAXXXℜadOnly=-1&FrameName=pyWorkPage&pzPrimaryPageName=pyWorkPage HTTP/1.1\" 200 14547;
?pyActivity=Data-Por.Get&IsBMLogin=true&StandardsMode=false&AJAXTrackID=1&pzHarnessID=HIDXXXXHTTP/1.1\" 200 10"
|  makemv data delim=";"
|  mvexpand data
|  rename data as _raw
|  extract kvdelim="=" pairdelim="&amp;"
|  table * _raw

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

saifullakhalid · ‎11-21-2017

It did not worked here is the query I am running on search

Error:
The search job has failed due to an error. You may be able view the job in the Job Inspector.

niketn · ‎11-21-2017

As stated commands till rename were just to mock sample data for testing. After your base i.e. index=clean next command should be extract.

index="clean"
| extract kvdelim="=" pairdelim="&"
| table * _raw

PS: Ideally you should add specific sourcetype="<yourSourceTypeNameGoesHere>" to your base search in case your index clean is storing multiple sourcetypes. For optimized query base search should have as many filters as possible.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

niketn · ‎11-23-2017

@saifullakhalid, can you please confim whether it worked or not?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

saifullakhalid · ‎11-20-2017

I tried this it worked, but if you have other options, please suggest.

rex field=_raw "\?pyActivity=(?\w+)&"

elliotproebstel · ‎11-20-2017

Did the regex I suggested below work for you? If yours works better, list it as an answer and accept it! 🙂

MuS · ‎11-20-2017

can you please modify your post and use the code function (mark the text and press either CTRL-K or the 101010 icon) this helps in keeping the log and the regex 😉

elliotproebstel · ‎11-20-2017

Try this:

rex field=_raw "\?pyActivity=([^&]+)&"

saifullakhalid · ‎11-21-2017

No it dint work I got this error
The search job has failed due to an error. You may be able view the job in the Job Inspector.
index="clean" | rex field=_raw "\?pyActivity=([^&]+)&"

saifullakhalid · ‎11-21-2017

This works for me

index="prod_clean" | rex field=_raw "\?pyActivity=(?([^&]+))" | stats count AS "Count" by PA | table "PA" "Count"

Extract value until specified char &

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life