Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me create a regex expression that would extract a field?

itionet
New Member
‎09-18-2018 03:39 AM

Hi All,

I'm trying to extract a field. However, the field I want to extract isn't at the same location each time. I thought I would try to do a regex on the string only without the field number.

The string I am trying to match is similar to below:
ABCS-3-ABCD_A
ABCDS-2-DFESAC
OSBFSASD-9-SDS_DSA

This is what I came up with, but it's not working:

^(?:[^[\w+]-\d-[\S+]*)(?P[^:]+)

Any help would be appreciated.

0 Karma
Reply

saurabhkharkar
Path Finder
‎12-17-2018 07:09 AM

I am guessing the string that you are trying to match always starts with '%'

| makeresults
| eval string="Sep 18 22:12:48 hostname.domain : hostname.domain %STRANG-A:FD %SESDA-9-BSCS: A bunch of text that doesn't matter."
| rex field=string ".\%(?[A-Z-0-9_]+)."
| table string extract

This should give you the string(SESDA-9-BSCS)

0 Karma
Reply

saurabhkharkar
Path Finder
‎12-17-2018 11:58 AM

Before [A-Z-0-9_] and after the ? , please add (without spaces) - surprisingly that was taken out on its own.

0 Karma
Reply

saurabhkharkar
Path Finder
‎12-17-2018 11:59 AM

add 'extract' - enclosed in <>

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-18-2018 05:50 AM

The regex string ".*" matches your examples, but is probably not what you need. Please provide complete events that put your target strings in context. Specify what you want extracted from the events. If you describe what you want in words, someone should be able to convert that into a regex.

---
If this reply helps you, Karma would be appreciated.
Reply

itionet
New Member
‎09-18-2018 09:40 PM

I figured it out. Thanks for the help.

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-20-2018 03:23 PM

@itionet

I'm glad you figured out an answer to your question. Would you mind creating an answer post describing how you were able to solve your problem and then approving it? That way, others could learn from your problem in the future.

Thanks!

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-19-2018 05:34 AM

Hi.. maybe, you can update your REX command(as an answer), so that it will be helpful for others in the future.. and then please accept your answer as accepted answer

0 Karma
Reply

itionet
New Member
‎09-18-2018 09:34 PM

So, this is basically what I'm looking at:

Sep 18 22:12:48 hostname.domain %STRING-A:WD %SECSD-4-DS_S: A bunch of text that doesn't matter.
Sep 18 22:12:48 hostname.domain %STRONG-A:SD %LOSSD-3-DACS: A bunch of text that doesn't matter.
Sep 18 22:12:48 hostname.domain %STRANG-A:FD %SESDA-9-BSCS: A bunch of text that doesn't matter.
Sep 18 22:12:48 hostname.domain : hostname.domain %STRANG-A:FD %SESDA-9-BSCS: A bunch of text that doesn't matter.

As you can see the string I want to pull out is usually in position 5, the first one being SECSD-4-DS_S. However, sometimes it is in position 6. I want to pull it out of the string no matter the position. The string will always be some number of uppercase letters followed by a - (dash), followed by a digit, followed by another dash, and then some number of uppercase and non-alphanumeric characters.

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...