topic Re: Regex certain value from a field in Splunk Search

Regex certain value from a field

timyong80 — Wed, 30 Sep 2020 04:47:48 GMT

Hello,

I have a regex question. I have a field called "Container" and below are the examples of the values.
I would like to regex a certain part of the value but unfortunately, there's no unique marker to tell it where to start/stop. However, I noticed that there's always 3 underscores before that specific part that I need to extract so probably that could be helpful for the regex.

Can you help me with the regex expression (starts after the 3rd underscore and ends before the next underscore)?

1) k8s_jenkins_jenkins-16-mrlz4_tau-ops_eb099c1d-6d70-11ea-8ba8-001a4a160104_0
2) k8s_datadog-agent_datadog-agent-t4dlc_clusteradmin_dd5f238b-6a16-11ea-8ef9-566f4e1c0167_351
3) k8s_core-order-service_core-order-service-deployment-1-t9b29_fltc-ods-uit_b10cf94d-64b1-11ea-8ef9-566f4e1c0167_3513

Desired regex result for Container field:

1) tau-ops
2) clusteradmin
3) fltc-ods-uit

Thank you in advance.

Re: Regex certain value from a field

jpolvino — Tue, 31 Mar 2020 12:31:36 GMT

Here is one way to do it, using a Run Anywhere SPL:

| makeresults
| eval _raw="event
k8s_jenkins_jenkins-16-mrlz4_tau-ops_eb099c1d-6d70-11ea-8ba8-001a4a160104_0
k8s_datadog-agent_datadog-agent-t4dlc_clusteradmin_dd5f238b-6a16-11ea-8ef9-566f4e1c0167_351
k8s_core-order-service_core-order-service-deployment-1-t9b29_fltc-ods-uit_b10cf94d-64b1-11ea-8ef9-566f4e1c0167_3513"
| multikv forceheader=1 | fields _raw
| rex "(.*?_){3}(?<container>[^_]+)"

See regex101

Re: Regex certain value from a field

gcusello — Tue, 31 Mar 2020 12:32:12 GMT

Hi @timyong80,
please try something like this:

index=your_index
| rex "^([^_]+_){3}(?<field>[^_]+)_"
| ...

that you can test at https://regex101.com/r/CCGPg6/1

Ciao.
Giuseppe

Re: Regex certain value from a field

richgalloway — Tue, 31 Mar 2020 12:38:34 GMT

This works with your sample data.

| rex field=Container "(?:[^_]+_){3}(?<field>[^_]+)"

Re: Regex certain value from a field

vnravikumar — Tue, 31 Mar 2020 12:46:37 GMT

Check this

| makeresults 
| eval Container="k8s_jenkins_jenkins-16-mrlz4_tau-ops_eb099c1d-6d70-11ea-8ba8-001a4a160104_0,
 k8s_datadog-agent_datadog-agent-t4dlc_clusteradmin_dd5f238b-6a16-11ea-8ef9-566f4e1c0167_351,
 k8s_core-order-service_core-order-service-deployment-1-t9b29_fltc-ods-uit_b10cf94d-64b1-11ea-8ef9-566f4e1c0167_3513" 
| makemv delim="," Container 
| mvexpand Container 
| eval result = mvindex(split(Container,"_"),3) 
| table Container,result

Re: Regex certain value from a field

timyong80 — Thu, 02 Apr 2020 10:49:47 GMT

Excellent, I used the rex part only and it works!
Thank you very much

Re: Regex certain value from a field

timyong80 — Thu, 02 Apr 2020 10:50:09 GMT

Thanks a lot 🙂 This works!

Re: Regex certain value from a field

timyong80 — Thu, 02 Apr 2020 10:50:43 GMT

Thanks a bunch, really appreciate it. This works well!

Re: Regex certain value from a field

timyong80 — Thu, 02 Apr 2020 10:53:04 GMT

Thank you! These are 3 separate entries actually., not in one field separated by comma.
But I learned new thing about makemv delim function. Thanks again!

Re: Regex certain value from a field

gcusello — Thu, 02 Apr 2020 12:25:10 GMT

Hi @timyong80,
you're welcome!
Ciao and next time!
Giuseppe

Re: Regex certain value from a field

vnguyen46 — Thu, 02 Apr 2020 13:37:54 GMT

Hi,

How can I regex <Type> Read Only </Type> to get "Read Only"? I mean only yield text between the tags.

Thanks,