Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting two types of fields in a query (IFX)

HelpMePlease
Explorer
‎07-25-2013 11:42 PM

I have my xml data HERE, I need to extract using Splunk IFX, Generated pattern (regex).

Example Xml: (22/7)17:53 Accident on AYE (towards Tuas) after Jurong Port Rd Exit. Avoid lane 3./d:Message

I have this expression that extract from word after until Exit.
(?i) after (?P.[^.]*?Exit)

As this look for word Exit only, how do I add other situation such as Rd|Entrance ?
I tried (?i) after (?P.[^.]*?(Exit|Entrance|Rd)), it gives me Invalid regex: no named extraction at position 39 (i.e., "?(Exit|Ent..."). Expected "(?Ppattern)"

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HelpMePlease
Explorer
‎07-26-2013 01:53 AM

After hours of trying, solved by (?i) (?P<dummyone>on) (?P<onexpressway>[^.]+?)\s+(?:\([^)]*?\)\s+)?(?P<dummytwo>at|after|before) (?P<locationaccident>[^.]*?(?P<dummythree>Exit|Flyover|Tunnel|Exit\.|Rd\.|Entrance\.|Ave\.|Avenue\.|North\.|South\.|East\.|West\.|[1-99]\.|BKE\.|SLE\.|CTE\.|ECP\.|KJE\.|TPE\.|PIE\.|AYE\.|Kayu\.|Way\.|Halus\.|Circus\.|Link\.|Highway\.|Tuas\.|Bahagia\.|Merah\.|Limau\.|Park\.|Lay\.|Drive\.|Dr\.|Queensway\.|Village\.|Town\.|Crescent\.|Link\.|Payoh\.|Kechil\.|Central\.))

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

HelpMePlease
Explorer
‎07-26-2013 01:53 AM

After hours of trying, solved by (?i) (?P<dummyone>on) (?P<onexpressway>[^.]+?)\s+(?:\([^)]*?\)\s+)?(?P<dummytwo>at|after|before) (?P<locationaccident>[^.]*?(?P<dummythree>Exit|Flyover|Tunnel|Exit\.|Rd\.|Entrance\.|Ave\.|Avenue\.|North\.|South\.|East\.|West\.|[1-99]\.|BKE\.|SLE\.|CTE\.|ECP\.|KJE\.|TPE\.|PIE\.|AYE\.|Kayu\.|Way\.|Halus\.|Circus\.|Link\.|Highway\.|Tuas\.|Bahagia\.|Merah\.|Limau\.|Park\.|Lay\.|Drive\.|Dr\.|Queensway\.|Village\.|Town\.|Crescent\.|Link\.|Payoh\.|Kechil\.|Central\.))

0 Karma
Reply
Solved! Jump to solution

HelpMePlease
Explorer
‎07-28-2013 11:13 PM

Splunk doesn't like unnamed groups. Hope this will help some people 😃

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...