topic Re: How do you make a regex field extraction to stop capture after underscore and last 2 digits? in Splunk Search

How do you make a regex field extraction to stop capture after underscore and last 2 digits?

almar_cabato — Tue, 29 Sep 2020 23:23:08 GMT

Hi,

I'm new to regex field extraction. I need a regex to capture only specific characters on my event source. I tried .car_(?.+20) but it gives me an output that I don't want:

Nam-Cluster_01_20
Nam-Cluster_02_20
Nam-Cluster_03_201902191052_20

Sample File Path:

 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190557_41794
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902191428_194444
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190754_194346
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190754_194346
 /path1/path2/path3/path4/path5/car_Nam-Cluster_03_201902191052_209807

Needed Output:

car_Nam-Cluster_01
car_Nam-Cluster_02
car_Nam-Cluster_03

Thank you!

Re: How do you make a regex field extraction to stop capture after underscore and last 2 digits?

reed_kelly — Tue, 19 Feb 2019 19:20:54 GMT

It is not the most efficient, but you can use:

|rex field=foo "car_(?<new_field>.+?)_20"

instead. This added ? says to not be greedy.

Re: How do you make a regex field extraction to stop capture after underscore and last 2 digits?

marycordova — Tue, 29 Sep 2020 23:18:21 GMT

(?<my_field_name>car_\w+\-Cluster_\d{2})

this matches the exact string "car_somelettershere-Cluster_" (the \w+ part will match any alpha characters in the middle) and then will capture the next two {2} digits \d at the end of the string

also, just in case you haven't used/seen this before: https://regex101.com/

Re: How do you make a regex field extraction to stop capture after underscore and last 2 digits?

almar_cabato — Tue, 29 Sep 2020 23:23:14 GMT

Thank you marycordova. This is almost close to what I'm looking for. But if my data changes to something like:

/path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_Nam-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_Asia-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_Asia-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_Asia-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_EMEA-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_EMEA-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_EMEA-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_India-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_India-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_India-Cluster_03_201902190559_41797

it only captures,

car_Nam-Cluster_01
car_Nam-Cluster_02
car_Nam-Cluster_03

but not,

car_Asia-Cluster_01
car_Asia-Cluster_02
car_Asia-Cluster_03
car_EMEA-Cluster_01
car_EMEA-Cluster_02
car_EMEA-Cluster_03
car_India-Cluster_01
car_India-Cluster_02
car_India-Cluster_03

Thank you!

Re: How do you make a regex field extraction to stop capture after underscore and last 2 digits?

paranjith — Wed, 20 Feb 2019 01:24:44 GMT

Try this:

.*\/(?P<field>.*\_\d{2})\_.*$

,Try this:
.\/(?P._\d{2})_.*

Re: How do you make a regex field extraction to stop capture after underscore and last 2 digits?

marycordova — Wed, 20 Feb 2019 17:40:33 GMT

@almar_cabato try the new edit

also, if this works, please accept my answer as correct 🙂

Re: How do you make a regex field extraction to stop capture after underscore and last 2 digits?

almar_cabato — Thu, 21 Feb 2019 05:29:29 GMT

Thank you very much! This works for me now. 🙂