topic Re: How to extract data using regex? in Splunk Search

How to extract data using regex?

Shan — Tue, 29 Sep 2020 21:27:05 GMT

Hi All,

I Have data in below mentioned format.
I need to extract value CUP_Used and cup_used using regex and store it as a separate filed.
But in below mentioned pattern CUP_Used and cup_used is available in 2nd or 3rd place in unstructured data set. I need to extract only CUP_Used and cup_used.

I have used the below mentioned rex to extract CUP_Used and cup_used. But I'm getting values as mentioned below. But i don't need values like s,LUV etc . With single rex i need to extract the value CUP_Used and cup_used.

LUV
CUP_Used
s
s
cup_used

\d\d\]\s[^:]+:\s[^;]+;(?P<hard>[a-zA-Z_]+)

\d\d\]\s[^:]+:\s[^;]+;(?P<hard>[^;]+);

Thanks in advance..

Re: How to extract data using regex?

493669 — Thu, 27 Sep 2018 05:42:15 GMT

try this:

...|rex "(?P<hard>\w+);$"

Re: How to extract data using regex?

Shan — Tue, 29 Sep 2020 21:27:08 GMT

@493669,

Sorry for inconvenience caused. There are many data patterns are there. please find below for the sample.

[15330442604] DATA SHOW: Enter;LUV-127lE$131.CBE.data.com;CUP_Used;
[15330744495] DATA Thing: SVR~1232.CBE.data.com;CUP_Used;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;CUP_Used;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;cup_used;
[15380142481] DATA SHOW: En;cup_used;
[15330442604] DATA SHOW: Enter;LUV-127lE$131.CBE.data.com;datat;Splunk;
[15330744495] DATA Thing: SVR~1232.CBE.data.com En;min;max;splunk1
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;working;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;cup_used;
[15380142481] DATA SHOW: En;cup_used;

needed values : cup_used,CUP_Used,Splunk,splunk1,working.

Thanks

Re: How to extract data using regex?

493669 — Thu, 27 Sep 2018 06:31:55 GMT

updated the answer ..please try above
this answer work if every line is one separate event

Re: How to extract data using regex?

Shan — Thu, 27 Sep 2018 08:15:31 GMT

@493669,

No its not working..

[15330442604] DATA SHOW: Enter;LUV-127lE$131.CBE.data.com;CUP_Used;
[15330744495] DATA Thing: SVR~1232.CBE.data.com;CUP_Used;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;CUP_Used;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;cup_used;
[15380142481] DATA SHOW: En;cup_used;
[15330442604] DATA SHOW: Enter;LUV-127lE$131.CBE.data.com;datat;Splunk;
[15330744495] DATA Thing: SVR~1232.CBE.data.com En;min;max;splunk1
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;working;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;cup_used;
[15380142481] DATA SHOW: En;cup_used;Retre;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;working;data;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;working;data;sdhgfsd;dshhd

Re: How to extract data using regex?

FrankVl — Tue, 29 Sep 2020 21:27:10 GMT

You keep coming up with new sample patterns. You'll really need to come up with a clear definition of what you want to extract, in order for anyone to come up with a working regex.

For starters: please be more clear than "its not working". What results do you get and which of those are correct and which are not?

From your earlier explanations, it seemed as if you want to capture the last 'field' in the line, but apparently that is not entirely the case? If you just want to check for the presence of one of those words you now mentioned (cup_used,CUP_Used,Splunk,splunk1,working), then try this:

| rex "(?<hard>cup_used|CUP_Used|Splunk|splunk1|working)"

https://regex101.com/r/tFmL38/1