Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

need help with regex field extraction between square brackets

Steve_A200
Path Finder
‎07-26-2023 01:50 PM

I am still trying to get my head around regular expressions in splunk, and would like to use regex that could parse the _raw data to create an extracted field with the contents that are between the square brackets:

_raw example data looks like this:

2023-07-26 15:11:16.932 [ engine1] [Error-1] INFO java.Exception: example text
2023-07-26 15:11:16.932 [ core2] [Thread-5] WARN java.Exception: example text 2
2023-07-26 15:11:16.932 [ main3] [Token-2] INFO java.Exception: example text 3
2023-07-26 15:11:16.932 [ Job4] [Thread-1] WARN java.Exception: example text 4

I need to extract field that is based on the data between the first square brackets.
If I need another field that is based on teh second square brackets.

So, I would like the results to look like like below:

Field_1         Field_2
engine1       Error-1
core2           Thread-5
main3          Token-2
Job4             Thread-1

Any feedback and help would greatly appreciated.

Thanks

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cklunck
Path Finder
‎07-26-2023 02:23 PM

Something like this should work.

<your search>
| rex field=_raw " \[(?<Field_1>.+?)\] \[(?<Field_2>.+?)\] "

 

You might have to adjust some of the spaces and other characters to match your events. The brief description of the regex above is:

  • Look in the raw event field
  • Find a space character followed by a left square bracket
  • Start capturing a value and name it "Field_1"
  • Find any set of characters - this will be what ends up in "Field_1"
  • Stop when you find a right square bracket
  • Then there should be a space followed by another left square bracket
  • Start capturing a value and name it "Field_2"
  • Find any set of characters - this will be what ends up in "Field_2"
  • Stop when you find a right square bracket followed by a space

Documentation for rex has some good examples.

Hope that helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

cklunck
Path Finder
‎07-26-2023 02:23 PM

Something like this should work.

<your search>
| rex field=_raw " \[(?<Field_1>.+?)\] \[(?<Field_2>.+?)\] "

 

You might have to adjust some of the spaces and other characters to match your events. The brief description of the regex above is:

  • Look in the raw event field
  • Find a space character followed by a left square bracket
  • Start capturing a value and name it "Field_1"
  • Find any set of characters - this will be what ends up in "Field_1"
  • Stop when you find a right square bracket
  • Then there should be a space followed by another left square bracket
  • Start capturing a value and name it "Field_2"
  • Find any set of characters - this will be what ends up in "Field_2"
  • Stop when you find a right square bracket followed by a space

Documentation for rex has some good examples.

Hope that helps!

Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎07-27-2023 11:40 AM

Thank you for the reply, the solutions provided worked great, exactly what I needed.

Much appreciated.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-26-2023 02:07 PM 
"\[(?<field_1>[^\]]+)\]\[(?<field_2>[^\]]+)\]"
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...