How to extract a field using rex that may or may n...

Naren26 · ‎02-06-2018

Consider I am having two string - "YY02State" and "Y02State"

In the above strings, I have to extract the fields like:
Y - IsStateLegal
Y - IsStateSafe
02 - StateId
State - NameOfState

There might be instances when the IsStateSafe field is not available in the log entry, like it is in the second string "Y02State". How can I write rex for this? Please note the other fields will always be available.

I tried the following rex, but of no luck.

(?<IsStateLegal>\w{1})(?<IsStateSafe>\w*.{1})(?<StateId>d{2})(?<NameOfState>\w*)

Please suggest a solution for this.

mayurr98 · ‎02-06-2018

hey @Naren26,

Try this run anywhere search

| makeresults 
| eval raw="YY02State Y02State N32State YN02State" 
| makemv raw 
| mvexpand raw 
| rex field=raw "(?<IsStateLegal>[A-Za-z])(?<IsStateSafe>[^\d]*)(?<StateId>\d{2})(?<NameOfState>\S+)"

In your environment, you should write

| rex field=_raw "(?<IsStateLegal>[A-Za-z])(?<IsStateSafe>[^\d]*)(?<StateId>\d{2})(?<NameOfState>\S+)"

let me know if this helps!

493669 · ‎02-06-2018

Try this run anywhere search:

 |makeresults|eval _raw="Y02State"|rex "(?<IsStateLegal>\w{1})(?<IsStateSafe>\w)?(?<StateId>\d{2})(?<NameOfState>\w+)"

cpetterborg · ‎02-07-2018

|makeresults|eval _raw="Y02State"|rex "(?<IsStateLegal>\w{1})(?<IsStateSafe>\w)?(?<StateId>\d{2})(?<NameOfState>\w+)"

This will result in half the number of steps required to match. The greedy * makes it work twice as much in this case.

493669 · ‎02-07-2018

thanks @cpetterborg. So with ? instead of * will improve performance in this case..updated the answer.

How to extract a field using rex that may or may not be present?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!