Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract a part of a field via reg ex?

alakhotia
Explorer
‎10-14-2022 04:10 PM

I have a field with data like this:

loggingObject.methodName="WXYX.MNOController.myMethodName".

loggingObject.methodName="DEF.GHI.TUVController.myMethodName2"

 

I want to extract just the myMethodName part.  If the dot before it is there, that is fine.

I tried using the reg ex field extractor, this is what it came up with:

^(?:[^\.\n]*\.){9}(?P<methodName>\w+)

But it seems like it's creating a name for the extracted field, "methodName".

I then tried to use it my query like this:

 

| regex methodName="^(?:[^\.\n]*\.){9}(?P<methodName>\w+)"

 

But it doesn't work.  There also isn't anything in that line that tells it to extract from the loggingObject.methodName field specifically.

How can I extract what I'm trying to extract?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2022 05:07 PM

As you discovered, the regex field extractor leaves a lot to be desired.  It's OK to start with, but any freshman can produce a better expression.

The regex command filters events.  It does not extract fields.

Try this command to extract the methodName field at search time.

| rex field=loggingObject.methodName "\.(?<methodName>\w*?$)"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-14-2022 05:07 PM

As you discovered, the regex field extractor leaves a lot to be desired.  It's OK to start with, but any freshman can produce a better expression.

The regex command filters events.  It does not extract fields.

Try this command to extract the methodName field at search time.

| rex field=loggingObject.methodName "\.(?<methodName>\w*?$)"

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

alakhotia
Explorer
‎10-17-2022 11:18 AM

That works, thank you.

What is the significance of "field"?  What value does it contain?

When I try outputting it in a table, it is blank.

But the extracted value that I wanted, was contained in the "methodName" that's in the regular expression term.

I would have thought that "field" would have contained the extracted value.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2022 11:51 AM

The "field" option contains the name of the field the rex command will use as input.  See https://docs.splunk.com/Documentation/Splunk/9.0.1/SearchReference/Rex#Syntax

The location(s) of the extracted value(s) is/are specified in the regex itself as one or more named capture groups.

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...