topic Re: How to find all values after a certain label in a field with regex? in Splunk Search

How to find all values after a certain label in a field with regex?

Chandras11 — Wed, 16 May 2018 10:32:24 GMT

Hi All,
I have a big text field with sample value as:

Random text Location:AL432   1)ART: New order  ANYTHING  Location:B2332  1)ART: Any order   Random text

I need to extract all the locations for example AL432 and B2332 and put them together in a new field. Please note that Location and 1)ART will always surround the location Id.

I can use something like:

| rex field=_raw "Location: (?P<LocationID>\d+) \)ART:" | eval LOCATIONVALUES= case(match(TEXT,"Location"), LocationID)

But I am completely sure if my regex syntax is correct here. Also I need to put all Locations in LOCATIONVALUES together.

Thanks in advance

Re: How to find all values after a certain label in a field with regex?

gcusello — Wed, 16 May 2018 10:39:02 GMT

hi Chandras11,
regex doesn't seem correct, try:

Location:(?<Location>[^ ]*)

you can test at https://regex101.com/r/FEyqTW/1

Bye.
Giuseppe

Re: How to find all values after a certain label in a field with regex?

knielsen — Wed, 16 May 2018 10:48:29 GMT

Well, you can directly grab all matches into the field LOCATIONVALUES, eg:

rex field=_raw max_match=0 "Location:(?<LOCATIONVALUES>\S+)"

# run everywhere:
| makeresults 
| eval input=" Random text Location:AL432   1)ART: New order  ANYTHING  Location:B2332  1)ART: Any order   Random text " 
| rex field=input max_match=0 "Location:(?<LOCATIONVALUES>\S+)"

You can then do what you need with the field, eg use mv commands to for it into something you like.

Re: How to find all values after a certain label in a field with regex?

Chandras11 — Wed, 16 May 2018 10:52:07 GMT

Thanks a lot. I am checking further in my query 🙂

Re: How to find all values after a certain label in a field with regex?

Chandras11 — Wed, 16 May 2018 10:52:43 GMT

Thanks a lot.

Re: How to find all values after a certain label in a field with regex?

Chandras11 — Wed, 16 May 2018 14:28:08 GMT

I tried it as : "^(.?)Location:(?\s[^ ]) " which gives me just the first location. I need to extract all locations.
Now its working for all events and ignore the white space after the location keyword (\s). however, it just finds the first occurrence. Any way to get values together

Re: How to find all values after a certain label in a field with regex?

Chandras11 — Wed, 16 May 2018 14:44:10 GMT

Thanks a lot for your help. FInally found the solution.
For me it is:

| rex field=input max_match=0 "^(.*?)Location:(?<LOCATIONVALUES>\s*[^ ]*)" 
and it is working perfectly.

Re: How to find all values after a certain label in a field with regex?

Chandras11 — Wed, 16 May 2018 14:44:58 GMT

its working now. Need max_match as suggested by @knielsen