topic Re: Field Extraction. Excluding a single word. in All Apps and Add-ons

Field Extraction. Excluding a single word.

fvasquezchacon — Mon, 28 Sep 2020 17:49:25 GMT

Hi!

I wolud like make a extraction using the field extractor app. My question is how to exclude a single word of the extraction since it has variable word length (between 2 and 3 words).

This is my comand:

(?i)RESULT: (?\w*\s*\w*\s*\w*)

If the extractor finds the word "MIN" in the third word place, I don't want to extract it and keep it with the first two words.

Thanks in advance!

Re: Field Extraction. Excluding a single word.

jeremiahc4 — Wed, 08 Oct 2014 12:57:43 GMT

Can you post a sample of the event data?

Re: Field Extraction. Excluding a single word.

fvasquezchacon — Wed, 08 Oct 2014 14:28:17 GMT

Hi!

Here is a simple (2 events). It's a multiline event data. What I 'm looking for is to extract the sentence after the word "RESULT: ". The sentence can have 2 or three words.

MACUL      ALT103 SEP14 00:02:28 5971 FAIL ALT 
        MAIP 02 0 04 01    DN 229525843    1st CYCLE
        LIT TESTS= R-G T-G FEMF  RESULT: RING DC FEMF
        MAX      2 VOLTS  ACT      8 VOLTS

MACUL      ALT104 SEP14 00:38:56 0576 FAIL ALT 
        GOBE 00 0 11 20    DN 229444877    1st CYCLE
        LIT TESTS= R-G T-G FEMF  RESULT: TIP  LEAKAGE
        MIN    40000 OHMS   ACT      000 OHMS

Re: Field Extraction. Excluding a single word.

somesoni2 — Wed, 08 Oct 2014 15:53:51 GMT

How about this

Your base search | rex "(?i)RESULT:(?.*)"

Re: Field Extraction. Excluding a single word.

adauria_splunk — Wed, 08 Oct 2014 22:18:59 GMT

First, you could try a regex that looks for either spaces followed by a number or MIN as the end, outside the capture group, like this maybe:

RESULT: (.*)(\s+MIN|\s+\d)

If that doesn't work, you could pipe it to an eval statement that uses the rtrim function to remove MIN, then eval with rtrim again to remove the last space.

Re: Field Extraction. Excluding a single word.

adauria_splunk — Wed, 08 Oct 2014 22:20:14 GMT

The form removed the back slashes before the s and d, above...you'll need those

Re: Field Extraction. Excluding a single word.

fvasquezchacon — Thu, 09 Oct 2014 21:22:18 GMT

Thanks a lot for your answers! It helped me to solve the issue. And as posted, the form removed the back slashes (and also less-than and greater-than signs).

What I have done is the following regex:

(?m)RESULT: (?P"less-than sign"FIELD_NAME"greater-than sign".+?)$