topic How to extract the value before a specific character using regex or rex? in Splunk Search

How to extract the value before a specific character using regex or rex?

leagawa — Mon, 12 Feb 2018 22:34:25 GMT

I would like to extract the string before the first period in the field using regex or rex

example: extract ir7utbws001 before the period .Feb-12-2016.043./dev/sdi and likewise in all these

ir7utbws001.Feb-12-2016.043./dev/sdi

ir7mojavs12.Feb-12-2016.043./dev/sda1

Gcase-field-ogs-batch-004-staging.dec-12-2016.043

sb7sdamb002.Feb-12-2016.043./dev/sdn

ebase73-ist-bat-002.Feb-12-2016.043./dev/sda1

ik2itpcp002.Feb-12-2016.043./dev/sda1

ebase-field-ods-batch-003.Feb-12-2016.043./dev/sdi

Leo-batch-001.Feb-12-2016.043./dev/sda1

Re: How to extract the value before a specific character using regex or rex?

aljohnson_splun — Tue, 13 Feb 2018 00:07:48 GMT

| rex "^(?<name_of_new_field>.+?)\."

Explanation:

Anchor to the beginning of the line.

(?<name_of_new_field> some regular expression )

This is just saying that whatever is in the parenthesis is a named capture group. Whatever you put between the < and > is the name of the new field.

.+?

Grab anything . one or more times + until ? ...

\.

We find a literal dot \. - the backslash is to escape its normal meaning as a wildcard character.

Try checking out this link to validate it.
https://regex101.com/r/JvZ4fS/1

Try checking out https://regexone.com/ if you want to learn more about regular expressions.

Re: How to extract the value before a specific character using regex or rex?

cpetterborg — Tue, 13 Feb 2018 00:21:42 GMT

A vastly more efficient regex (roughly 5 time more efficient) is:

| rex "^(?<name_of_new_field>[^.]*)\."

The reason for the increase in efficiency is making the capture group look for something that is not a period and be greedy ( [^.]* ), not any character and be lazy ( .+? ).

Re: How to extract the value before a specific character using regex or rex?

mayurr98 — Tue, 13 Feb 2018 06:12:03 GMT

hey try this run anywhere search

| makeresults 
| eval raw="ir7utbws001.Feb-12-2016.043./dev/sdi ir7mojavs12.Feb-12-2016.043./dev/sda1 Gcase-field-ogs-batch-004-staging.dec-12-2016.043 sb7sdamb002.Feb-12-2016.043./dev/sdn" 
| makemv raw 
| mvexpand raw 
| rex field=raw "^(?P<field_name>[^\.]+)"

In your environment you should write

| rex  "^(?P<field_name>[^\.]+)"

let me know if this helps!

Re: How to extract the value before a specific character using regex or rex?

siksaw33 — Fri, 27 May 2022 13:39:28 GMT

Just curious.
How would this work if in the same example we have

ir7utbws001

as an entry

as there is no 'period' your code would extract this as null. I wanted to extract the whole field if there is no period

So basically what is alternative of

| eval temp=split(URL,".")
| eval Final=mvindex(temp,0)