- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help on regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help on regex
Need a help on reg ex . My event will look like this
I want to get the value B as my answer using reg ex . hot to get it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your props.conf
REPORT-attribute = xmlkv_attribute
your transforms.conf
[xmlkv_attribute]
REGEX = (?i)>([^<]+)<\/\S+:([^>]+)>
FORMAT = $2::$1
MV_ADD = 1
CLEAN_KEYS = 1
this will set your fieldname and value as below
>YOUR_Value</ ns7:YOUR_Fieldname>
hope this would help you,
happy splunking,
eashwar raghunathan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is that your full event? Is the category always going to be PGP? if so you can try this:
PGP">(?P<field_name>[^<]+)
This will pick up everything between PGP"> and a less than "<" and store into field "field_name"
Here's a really useful link where you can test your regex: http://regexpal.com/
Note that if you test the above regex in this page it won't work due to the splunk specific field extraction syntax. you can run it as the following, and then just remember to put the "?P
PGP">([^<]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
6- going forward all your events that contain a regex that matches will be stored into the field that you labeled in step 5
7- you can now use this field in your search to limit results, display by this field, etc
Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think I missunderstood your requirements. My suggestion is to use field extraction to get what you want. So the regex I provided was for that, and not for a search command regex.
Follow these steps:
1- run a basic search that returns the events you want to extract from
2- click the blue button next to an event (on the left)
3- select "extract fields"
4- you can use the regex I gave you, and play around with the regex editor and test it in this page
5- save the regex once you are satisfied, and label it as you want
... continued in next comment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The PGP" field will change. I will get different values for the different events My exact requirement is to find the attribute ID . which is' B ' in the event. I have to name is as attribute_id (field name ) .
I tried your answer . But getting an error message " Unbalanced quotes . I am new to splunk. It would be very helpful if you share me any tutorials on splunk
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
