Splunk Search

Question : I am facing issue in Regular expression want to print substring from string

su_kumar
New Member

Hello Sir ,

I am new for this Regular expression . in our log has different value for field.
want to remove char upto first minus(-) from begining and want to print substing till second minus(-)
Example:
ALL_CAT_12-AP_Adobe-Adobe_Ident-Defaultgp-NONE ------------------> AP_Adobe
BLO_CAT_12-DefaultGroup-SH_Auth-DefaultGroup-NONE ------------->DefaultGroup
OTHER-Default-SH_Auth-DefaultGroup-NONE------------------------------->Default

Thanks

0 Karma

woodcock
Esteemed Legend

Like this:

| makeresults 
| eval raw="ALL_CAT_12-AP_Adobe-Adobe_Ident-Defaultgp-NONE BLO_CAT_12-DefaultGroup-SH_Auth-DefaultGroup-NONE OTHER-Default-SH_Auth-DefaultGroup-NONE"
| makemv raw
| mvexpand raw
| rename raw AS _raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex "^[^-]+-(?<myDestField>[^-]+)"

NOTE: You may need to change rex on the last line to rex field=mySourceField.

0 Karma

inventsekar
Ultra Champion

Hi All.. any ideas/suggestions about how makemv and mvexpand works on this above query please.

0 Karma

su_kumar
New Member

Thanks .. now it is working.

0 Karma

woodcock
Esteemed Legend

Be sure to UpVote any useful comments or answers and pick the best answer and click Accept to close the question.

0 Karma

saurabhkharkar
Path Finder
try this

| makeresults
| eval string="ALL_CAT_12-AP_Adobe-Adobe_Ident-Defaultgp-NONE"
| rex field=string ".*?\-(?<output>[^\-]+).+"
| table string output
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...