topic Re: need help with forming a regex command for extracting some fields in Splunk Search

need help with forming a regex command for extracting some fields

s0m073r — Wed, 27 May 2020 08:13:52 GMT

Hi,

Can someone please help in getting the field extracted:

"x-hello-abc":["101.2.10.1, 102.3.4.3, 12.3.45.5"]

Please help in getting a regex expression to extract this field

Re: need help with forming a regex command for extracting some fields

gcusello — Wed, 27 May 2020 08:24:28 GMT

Hi @s0m073r,
let me understand: you want to extract the three IPs or only the first?
if all the values, try this regex

| rex "(?<x_hello_abc>\d+\.\d+\.\d+\.\d+)"

that you can test at https://regex101.com/r/m6WhUh/1
if you want only the first, use this regex

| rex "\"(?<x_hello_abc>\d+\.\d+\.\d+\.\d+)"

that you can test at https://regex101.com/r/m6WhUh/2

Ciao.
Giuseppe

Re: need help with forming a regex command for extracting some fields

s0m073r — Wed, 30 Sep 2020 05:32:18 GMT

I need to extract all the IP's which come under this field, i need to get field with x_hello_abc that contains all the ips

Re: need help with forming a regex command for extracting some fields

gcusello — Wed, 27 May 2020 08:39:09 GMT

Hi @s0m073r,
ok you can use the first.
Please use "_" instead "-" in the field name.

Ciao.
Giuseppe

Re: need help with forming a regex command for extracting some fields

s0m073r — Wed, 27 May 2020 08:44:49 GMT

thanks for your quick response. i am getting the below error:
Error in 'rex' command: Encountered the following error while compiling the regex '(?\d+.\d+.\d+.\d+)': Regex: syntax error in subpattern name (missing terminator).

Re: need help with forming a regex command for extracting some fields

gcusello — Wed, 27 May 2020 09:13:43 GMT

Hi @s0m073r,
where do you used the regex: in the rex command, in a field extraction or in a dashboard?

try at first in the search with the rex command (using the double quotes).

Ciao.
Giuseppe

Re: need help with forming a regex command for extracting some fields

s0m073r — Wed, 27 May 2020 09:49:31 GMT

i tried with rex "x-hello-abc\":[\"(?[^\"]+)"

it worked fine for me

Re: need help with forming a regex command for extracting some fields

gcusello — Wed, 27 May 2020 09:53:56 GMT

Ok good!
but in this case, you take only the first IP, not the others.

Please, to share regexes use always the Code Sample button (the one with 101010) otherwise I cannot see your regexes.

Ciao.
Giuseppe

Re: need help with forming a regex command for extracting some fields

codebuilder — Wed, 27 May 2020 20:11:25 GMT

Use erex...

https://docs.splunk.com/Documentation/Splunk/8.0.3/SearchReference/Erex#Examples

...| erex examples="x-hello-abc"

Then view the regex generated by Splunk via the job inspector.