- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extraction using regular expressions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to extract a character string using a regular expression.
I am considering extracting the field (message ID) using the rex command, but I can not extract it with regular expressions.
Message ID = '< xxxxxxxx>'
※I want to extract characters between 「'<」 and 「>'」
※There is no space in the actual log.
I want to extract xxxxxxxx and make the field of message ID have the following form.
Message ID = xxxxxxxx
What kind of regular expression can I use to extract xxxxxxxx?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the following run-anywhere example.
| makeresults
| eval _raw = "Message ID = '< xxxxxxxx>'"
| rex field=_raw "Message ID = '<(?<MessageID>[^>]+)>'"
You can test the rex with your sample events. Eventually, create a Field Extraction Knowledge Object for the same.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi honobe,
based on the provided information this regex:
'<(?<Message_ID>[^>]+)>'
will match everything between '< and >' and use the match in the new field called Message_ID.
This is a really basic example and can be optimised but I hope it helps to get you started ...
btw don't use field names with spaces 😉
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much.
Thanks to your answer, I was able to solve the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the following run-anywhere example.
| makeresults
| eval _raw = "Message ID = '< xxxxxxxx>'"
| rex field=_raw "Message ID = '<(?<MessageID>[^>]+)>'"
You can test the rex with your sample events. Eventually, create a Field Extraction Knowledge Object for the same.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much.
Thanks to your answer, I was able to solve the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
typing too slow...again
Just a little tip: there is actually no need to escape the > inside of the [...] it will also work without the escaping
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Mus, I have corrected. But \ in regular expression also tells match exactly. It works either way, I missed removing it.
| makeresults | eval message= "Happy Splunking!!!"
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
