Solved: Re: How to edit my regular expression to extract t...

ayusuf · ‎10-25-2016

I don't understand how Splunk does regex!
I have this search below:

...
| spath output=test path=a.b.c
| rex field=test "?<test1>[0-9]+"
| table test, test1

Test is this: {"timehours":"16","timeminutes":"34","timeseconds":"11"}

How do I extract just the numbers and semicolon except the first semicolon?
Thanks!

sundareshr · ‎10-25-2016

Try this

 ...
 | spath output=test path=a.b.c
 | rex max_match=3 field=test "(?<t>\d{1,2})"
 | eval test1=mvindex(t, 0).":".mvindex(t, 1).":".mvindex(t, -1)
 | table test, test1

View solution in original post

DalJeanis · ‎02-01-2017

Here's another way. Still couldn't get it in just one rex.

This generates test results -

| makeresults | eval testfield="{\"timehours\":\"16\",\"timeminutes\":\"34\",\"timeseconds\":\"11\"}"

This pulls out the time parts -

| rex field=testfield max_match=3 "(?<mytime>\d{1,2})" | eval mytime=mvjoin(mytime,":")

sundareshr · ‎10-25-2016

Try this

 ...
 | spath output=test path=a.b.c
 | rex max_match=3 field=test "(?<t>\d{1,2})"
 | eval test1=mvindex(t, 0).":".mvindex(t, 1).":".mvindex(t, -1)
 | table test, test1

ayusuf · ‎10-26-2016

That works but is there a way to do it all in rex? Thanks.

sundareshr · ‎10-26-2016

With rex mode=sed you cannot assign the result to a different field. Try this

  ... | rex mode=sed field=test "s/{\"timehours\":\"(\d+).+?:\"(\d+).+?:\"(\d+)\"}/\1:\2:\3/g" | table test

How to edit my regular expression to extract the numbers and semicolons from my sample data?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...