topic how to use the rex command to extract data when we have space in Splunk Search

how to use the rex command to extract data when we have space

s0m073r — Fri, 07 Feb 2020 04:55:23 GMT

Hi have a scenario, where I would like to extract the field OfferCode which has space after and before the code:

OfferCode : XYZAQERWSD

Please help with rex command to extract this field OfferCode

Re: how to use the rex command to extract data when we have space

to4kawa — Fri, 07 Feb 2020 05:01:06 GMT

Sample:

| makeresults 
| eval _raw="exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf" 
| rex  "OfferId\s:\s(?P<OfferCode>\S+)"

cf. makeresults

| rex "OfferId\s:\s(?P<OfferCode>\S+)"
Hi, @s0m073r
How about this?

If your default _raw contains your sample code , rex works

Re: how to use the rex command to extract data when we have space

s0m073r — Fri, 07 Feb 2020 05:07:31 GMT

Hi @to4kawa
getting this:
**
Error in 'SearchParser': Missing a search command before '|'. Error at position '84' of search query 'search index=XXXX CheckoutBizException:...{snipped} {errorcontext = OfferId| | rex field}'.**

Re: how to use the rex command to extract data when we have space

to4kawa — Fri, 07 Feb 2020 05:13:58 GMT

@s0m073r

 {errorcontext = OfferId| | rex field

| is double.

Re: how to use the rex command to extract data when we have space

s0m073r — Fri, 07 Feb 2020 05:18:03 GMT

@to4kawa
tried with
*rex field=Offers "OfferId\s:\s(?P\S+)" *

But there is no field getting created to view the list, I can see no errors though

Re: how to use the rex command to extract data when we have space

to4kawa — Fri, 07 Feb 2020 05:31:04 GMT

@s0m073r
Does Offers contain "OfferCode : XYZAQERWSD" ?

rex "OfferCode\s:\s(?P<OfferCode>\S+)"
Is that enough?

By the way, what's OfferId ?

Re: how to use the rex command to extract data when we have space

vnravikumar — Fri, 07 Feb 2020 05:37:36 GMT

Try this also

| makeresults 
| eval temp="OfferCode : XYZAQERWSD" 
| regex temp="OfferCode\s:" 
| eval result=mvindex(trim(split(temp,":")),-1)

Re: how to use the rex command to extract data when we have space

to4kawa — Fri, 07 Feb 2020 05:39:54 GMT

I agree. but there is unclear field.

Re: how to use the rex command to extract data when we have space

s0m073r — Fri, 07 Feb 2020 09:37:46 GMT

let me give my complete requirement:

exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf

can you please now help me getting the extract of the Offerid field alone with the code?

Re: how to use the rex command to extract data when we have space

vnravikumar — Fri, 07 Feb 2020 09:58:12 GMT

Try this

| makeresults 
| eval temp="exce.msg=ServiceException:No valid XXXx for OfferId : ASRDAVS32@#4sdfsf" 
| rex field=temp "OfferId\s+:\s+(?P<id>[^@#]+)"

Re: how to use the rex command to extract data when we have space

to4kawa — Fri, 07 Feb 2020 09:58:52 GMT

@s0m073r
I see, my answer is updated. please confirm.

Re: how to use the rex command to extract data when we have space

s0m073r — Fri, 07 Feb 2020 10:24:11 GMT

Error in 'makeresults' command: This command must be the first command of a search.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

Re: how to use the rex command to extract data when we have space

abhijeet01 — Fri, 07 Feb 2020 10:54:15 GMT

Hi s0m073r,

Pls try below regex command.

rex field = _raw "\OfferCode\s:\s(?P<OfferCode>[^\s+]+)"

Re: how to use the rex command to extract data when we have space

vnravikumar — Fri, 07 Feb 2020 11:02:42 GMT

You no need of makeresults command, here i had used to create dummy event. | rex field=temp "OfferId\s+:\s+(?P<id>[^@#]+)" is enough. In that instead of temp you give actual field name.

Re: how to use the rex command to extract data when we have space

codebuilder — Fri, 07 Feb 2020 15:15:03 GMT

An easier way honestly is to use "erex", which is a hidden gem.

Pipe your search to this:

| erex offercode examples="XYZAQERWSD"

Wait for the search to complete, then look at the job inspector. At the top it will provide the regex necessary to find the value you are looking for. Example:

You can also use "counterexamples" to exclude results.

https://docs.splunk.com/Documentation/Splunk/8.0.1/SearchReference/Erex

Re: how to use the rex command to extract data when we have space

s0m073r — Fri, 07 Feb 2020 15:53:07 GMT

thank you, it worked.
thank you all for helping

Re: how to use the rex command to extract data when we have space

codebuilder — Fri, 07 Feb 2020 15:56:04 GMT

Glad to help!