topic Re: Regex to extract field: data inside a a parenthesis in Getting Data In

Regex to extract field: data inside a a parenthesis

jaimelopez — Mon, 11 May 2020 18:28:03 GMT

Hello,
I would like to extract data from inside a parenthesis to create a new field
This command for a search works well:
rex field=user_description "((?[^)]*)"

But when a try to configure this inside a query of a dashboard it does not work i guess because some incomptability with xml

The alternative is to extract field in the sourcetype but I am not able to obtain regular expression

Could anyone provide the regex code

Example of the data:

{"userid": 1, "action": "development (project)", "user_description": " Michael Jordan (adm-Jordan)"}

And I would like to obtain: adm-Jordan

Please take into account that other fields can contain information between parenthesis but in my case I would like to obtain data inside parenthesis when first coincidence after user_description appears

Many thanks a lot

Re: Regex to extract field: data inside a a parenthesis

to4kawa — Mon, 11 May 2020 19:21:20 GMT

| makeresults
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}"
| spath
| rex field=user_description "\((?<description>.*)\)"

spath is useful.

Re: Regex to extract field: data inside a a parenthesis

jaimesplunk88 — Mon, 11 May 2020 23:34:22 GMT

Hi to4kawa,

This is not what i want.

The spath command extracts field and value pairs on structured event data, such as XML and JSON.
What I want to extract is only the data inside the parenthesis related to user_description field

Thanks.

Re: Regex to extract field: data inside a a parenthesis

to4kawa — Tue, 12 May 2020 03:02:02 GMT

I see, my answer is updated.

Re: Regex to extract field: data inside a a parenthesis

vnravikumar — Tue, 12 May 2020 03:12:52 GMT

Check this

| makeresults 
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}" 
| spath path=user_description output=user_description 
| rex field=user_description "\((?P<result>[^)]+)"

Re: Regex to extract field: data inside a a parenthesis

jaimelopez — Tue, 12 May 2020 10:42:52 GMT

Hi @vnravikumar ,
The thing is that I need this search to be included in a dashboard and when I write it in the code
I have this error "Unexpected close tags" and it is a problem of the line of rex

The data has to be shown in a dashboard, not simple search.

Yu know what could be the problem?

Thanks
Jaime

Re: Regex to extract field: data inside a a parenthesis

jaimelopez — Tue, 12 May 2020 10:43:39 GMT

Hi @to4kawa ,
The thing is that I need this search to be included in a dashboard and when I write it in the code
I have this error "Unexpected close tags" and it is a problem of the line of rex

The data has to be shown in a dashboard, not simple search.

Yu know what could be the problem?

Thanks
Jaime

Re: Regex to extract field: data inside a a parenthesis

vnravikumar — Tue, 12 May 2020 10:55:22 GMT

Is it possible to post your XML?

Re: Regex to extract field: data inside a a parenthesis

jaimelopez — Tue, 12 May 2020 11:26:01 GMT

Hi @vnravikumar
Yes, here you have

<form>
  <label></label>
  <fieldset submitButton="false">
    <input type="time" token="time_picker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Test</title>
        <search>
          <query>
| makeresults 
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}" 
| spath path=user_description output=user_description 
| rex field=user_description "\((?P<result>[^)]+)"
| table _time user_description result
          </query>
          <earliest>$time_picker.earliest$</earliest>
          <latest>$time_picker.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

What I checked it should be something regarding rex command
Regards,

Re: Regex to extract field: data inside a a parenthesis

vnravikumar — Tue, 12 May 2020 11:36:43 GMT

Try like

 | rex field=user_description "\((?P&lt;result&gt;[^)]+)"

Re: Regex to extract field: data inside a a parenthesis

jaimelopez — Tue, 12 May 2020 12:33:53 GMT

it works @vnravikumar
lots of thanks 🙂

Re: Regex to extract field: data inside a a parenthesis

vnravikumar — Tue, 12 May 2020 12:41:44 GMT

Please accept my answer