Solved: Re: How to extract field with regex such as senten...

syokota_splunk · ‎11-14-2017

Hi regex masters,
Please help me.

Below are sample xml logs.

Incident Number: 151719935
    Date Of Incident: 12/02/2015 12:00:00 AM, Time of Incident: 2040
    Area Code: 17
    Area Name: Devonshire
    Road: 1782
Incident Number: 150920551
    Date Of Incident: 12/02/2015 12:00:00 AM, Time of Incident: 2000
    Area Code: 09
    Area Name: Van Nuys
    Road: 0915

And I'd like to extract "Area Name" field then I try to use below regex.

(Area Name: )(?P<area_name>\w+)

I succeed to get the value of 1st sample log but I cannot get 2nd sample log.

How do I get not only word without space also word with space?

syokota_splunk · ‎11-14-2017

Finally I did it. It seems raw log has none "\n" code but have "\s".
Thanks all!

View solution in original post

syokota_splunk · ‎11-14-2017

Finally I did it. It seems raw log has none "\n" code but have "\s".
Thanks all!

jgbricker · ‎11-14-2017

You could use a pattern that says anything not a colon continued and then add the colon.

[^\:]+\:

Then you can say not a new line continued [^\n]+

You would want to account for the comma. Putting it together would be something like
[^\:]+\:[^\n]+\n[^\:]+\:[^\,]+\,[^\:]+\:[^\n]+\n

You wrap the parts you want to extract and label them (?PPatternForValue)

The above pattern isnt complete I can finish it but it may help you to do that. Try using regex101.com. It explains what you are doing and finding

harsmarvania57 · ‎11-14-2017

Hi,

Will you please try this regex (Area\sName:\s)(?P<area_name>.*) ?

syokota_splunk · ‎11-14-2017

Match every thing after "Area Name:" also Road and Crime Code too.

harsmarvania57 · ‎11-14-2017

Try this (Area\sName:\s)(?P<area_name>.*)\n

syokota_splunk · ‎11-14-2017

Same issue is happen.

harsmarvania57 · ‎11-14-2017

Based on sample data if I run below search it gives me Van Nuys only.

| makeresults 
| eval field1="Incident Number: 150920551
     Date Of Incident: 12/02/2015 12:00:00 AM, Time of Incident: 2000
     Area Code: 09
     Area Name: Van Nuys
     Road: 0915" 
| rex field=field1 "(?s)(Area\sName:\s)(?P<area_name>.*)\n"

syokota_splunk · ‎11-14-2017

Yes, your search can get it. But it seems raw log has no '\n' code after "Van Nuys".
Finally I figure out by your suggestion.
I put the screen shot on new comment.

harsmarvania57 · ‎11-14-2017

That's great, in this case you can accept your own answer so this question will be closed.

How to extract field with regex such as sentence with space

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...