Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract the value before a specific character using regex or rex?

leagawa
New Member
‎02-12-2018 02:34 PM

I would like to extract the string before the first period in the field using regex or rex

example: extract ir7utbws001 before the period .Feb-12-2016.043./dev/sdi and likewise in all these

ir7utbws001.Feb-12-2016.043./dev/sdi

ir7mojavs12.Feb-12-2016.043./dev/sda1

Gcase-field-ogs-batch-004-staging.dec-12-2016.043

sb7sdamb002.Feb-12-2016.043./dev/sdn

ebase73-ist-bat-002.Feb-12-2016.043./dev/sda1

ik2itpcp002.Feb-12-2016.043./dev/sda1

ebase-field-ods-batch-003.Feb-12-2016.043./dev/sdi

Leo-batch-001.Feb-12-2016.043./dev/sda1

0 Karma
Reply

mayurr98
Super Champion
‎02-12-2018 10:12 PM

hey try this run anywhere search

| makeresults 
| eval raw="ir7utbws001.Feb-12-2016.043./dev/sdi ir7mojavs12.Feb-12-2016.043./dev/sda1 Gcase-field-ogs-batch-004-staging.dec-12-2016.043 sb7sdamb002.Feb-12-2016.043./dev/sdn" 
| makemv raw 
| mvexpand raw 
| rex field=raw "^(?P<field_name>[^\.]+)"

In your environment you should write 

| rex  "^(?P<field_name>[^\.]+)"

let me know if this helps!

Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎02-12-2018 04:07 PM 
| rex "^(?<name_of_new_field>.+?)\."

Explanation:

^

Anchor to the beginning of the line.

(?<name_of_new_field> some regular expression )

This is just saying that whatever is in the parenthesis is a named capture group. Whatever you put between the < and > is the name of the new field. 

.+?

Grab anything . one or more times + until ? ...

\.

We find a literal dot \. - the backslash is to escape its normal meaning as a wildcard character.

Try checking out this link to validate it.
https://regex101.com/r/JvZ4fS/1

Try checking out https://regexone.com/ if you want to learn more about regular expressions.

Reply

cpetterborg
SplunkTrust
SplunkTrust
‎02-12-2018 04:21 PM

A vastly more efficient regex (roughly 5 time more efficient) is:

| rex "^(?<name_of_new_field>[^.]*)\."

The reason for the increase in efficiency is making the capture group look for something that is not a period and be greedy ( [^.]* ), not any character and be lazy ( .+? ).

0 Karma
Reply

siksaw33
Path Finder
‎05-27-2022 06:38 AM

Just curious.
How would this work if in the same example we have


ir7utbws001

as an entry

as there is no 'period' your code would extract this as null. I wanted to extract the whole field if there is no period

So basically what is alternative of

| eval temp=split(URL,".")
| eval Final=mvindex(temp,0)

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...