topic Re: Trying to extract some value only particular string but it is also giving the unmatched string based on the path of the string... in All Apps and Add-ons

Trying to extract some value only particular string but it is also giving the unmatched string based on the path of the string...

nareshchenchati — Sun, 30 Jun 2019 14:48:09 GMT

Trying to extract some value only particular string but it is also giving the unmatched string based on the path of the string...

I want to extract only this validation string but not () valus which is there in the second event..

[2/26/19 03:22:29:506 CEST] 0000001f monitor O 2019-06-26 14:22:29,506 [newstp - validation - NEW]

[2/26/19 03:28:17:829 CEST] 00000023 monitor O INFO 2019-06-26 14:28:17.829 activity;

Here is the Regex which I'm using :^(?:[^ \n]* ){10}(?P[^ ]+)

Please help me to extract only validation string, not the empty string..

Re: Trying to extract some value only particular string but it is also giving the unmatched string based on the path of the string...

memarshall63 — Sun, 30 Jun 2019 17:50:07 GMT

Here's a string that will get you the value of the validation string:

\[newstp\s-\svalidation\s-\s(?P<fld>.+)\]

This just looks for the string "[newstp - validation - and captures the next word before the ],
-or, did you mean it's giving you the () and you always want the bits in between the []'s?

.*\[(?P<fld>.+)\]

This looks for the square brackets and captues what's between them.

I used 'fld' as the field name where you should find the captured bits.

Hope that helps.

Re: Trying to extract some value only particular string but it is also giving the unmatched string based on the path of the string...

nareshchenchati — Sun, 30 Jun 2019 18:25:33 GMT

Thanks for the reply.. I'm unable to get the output.. it says "Regex: missing terminating" while testing...

Re: Trying to extract some value only particular string but it is also giving the unmatched string based on the path of the string...

memarshall63 — Sun, 30 Jun 2019 18:54:36 GMT

Can you post your search string?

Re: Trying to extract some value only particular string but it is also giving the unmatched string based on the path of the string...

memarshall63 — Sun, 30 Jun 2019 20:47:26 GMT

Here's my search:

source="/tmp/splunk_ingest/*" host="/tmp/splunk_ingest" index="sandbox" sourcetype="rando_file" 
| rex field=_raw "\[newstp\s-\svalidation\s-\s(?P<fld>.+)\]"
| rex field=_raw ".*\[(?P<fld2>.+)\]" 
| table _time _raw fld fld2

and my results (in CSV):

_time","_raw",fld,fld2
"2019-06-25T21:28:17.829-0400","[2/26/19 03:28:17:829 CEST] 00000023 monitor O INFO 2019-06-26 14:28:17.829 [activity] ();",,activity
"2019-06-25T21:22:29.506-0400","[2/26/19 03:22:29:506 CEST] 0000001f monitor O 2019-06-26 14:22:29,506 [newstp - validation - NEWSTP$46359]","NEWSTP$46359","newstp - validation - NEWSTP$46359"