Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Finding first occurrence of matching beginning anchor in field extraction.

Cuyose
Builder
‎06-19-2015 11:06 AM

I need to create a regex field extraction to deal with odd events where the same string exists multiple times before my end anchor after same begin anchors.

rough example:

<ExternalErrorDescription>A bunch of random stuff</ExternalErrorDescription><ExternalErrorDescription>more stuff</ExternalErrorDescription><ExternalErrorDescription>WHAT I WANT TO EXTRACT &#xD;

The text between the last <ExternalErrorDescription> and is what I want to extract. The problem is its always grabbing everything as it matches the first <ExternalErrorDescription> up to my end anchor. I can't figure out the syntax to match the last occurance of the beginning string anchor and end anchor.

This is what I have currently

(?i)ExternalErrorDescription>(?P<ExternalErrorDescription>.*?)\&\#xD;
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-19-2015 11:38 AM

Try this:

.*ExternalErrorDescription>(?<ExternalErrorDescription>.*?)\&\#xD;

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-19-2015 11:38 AM

Try this:

.*ExternalErrorDescription>(?<ExternalErrorDescription>.*?)\&\#xD;
Reply
Solved! Jump to solution

Cuyose
Builder
‎06-19-2015 12:14 PM

unfortunately this is still matching everything after the first match of 

ExternalErrorDescription>

.*ExternalErrorDescription>(?<ExternalErrorDescription>.*?)\&\#xD;
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-19-2015 12:35 PM

I tested it on your data and it works; try again:

... | rex  ".*ExternalErrorDescription>(?<ExternalErrorDescription>.*)\&\#xD;" | fields ExternalErrorDescription
0 Karma
Reply
Solved! Jump to solution

Cuyose
Builder
‎06-19-2015 12:48 PM

Interesting, so that does work inline with the search, but I am trying to create a field extraction in settings for this, and it wont work when set the exact same way there. any ideas on how to make that work as a field extraction?

(?i).*ExternalErrorDescription>(?<ExternalErrorDescription>.*)\&\#xD;
0 Karma
Reply
Solved! Jump to solution

Cuyose
Builder
‎06-19-2015 01:06 PM

I got this working, for some reason I had to add a ? in my declaration. The below now works automatically in field extractions.

    (?i).*<ns1:ExternalErrorDescription>(?<ExternalErrorDescription>.*?)\&\#xD;
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-19-2015 01:25 PM

Don't forget to "Accept" the answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...