topic Re: How to search from last occurrence of a string in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464642#M130945 <PRE><CODE>|rex field=_raw "\[(?&lt;name&gt;.*?\,.*?)\]" </CODE></PRE> <P>simply.</P> Tue, 11 Feb 2020 20:28:17 GMT to4kawa 2020-02-11T20:28:17Z How to search from last occurrence of a string https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464637#M130940 <P>Hello Experts,</P> <P>I am trying to read the text from the last square bracket (which is TestModelCompany,en_US)</P> <PRE><CODE>21:11:31,367 INFO [TestBenuLogger] [155.56.208.68] [716057] [-] [TestModelCompany,en_US] No 1 XX_TimeStep="10" XX_TimeQuery="10" XX_HTTPSession="1398708550-1911P0" XX_QuerySession="null" XX_TimeStamp="2020-02-09T20:11:31.358Z-PY" XX_Company="Model Company" XX_QueryMode="STANDARD" XX_Agent="Model" Starting Model API : Mode : Standard Query Operation : QUERY Company : Model Company New Snapshot Calculation </CODE></PRE> <P>I wrote a regular expression to extract the content from last bracket,</P> <PRE><CODE>(?&lt;=\[)[^\[\]]*(?=][^\[\]]+$) </CODE></PRE> <P>It works well. However I am unable to integrate it in the splunk,</P> <P>This is my existing splunk query,</P> <PRE><CODE>sourcetype=text XX_Company="*" last_modified_on index="*_test_application" | rex field=_raw "last_modified_on.*?to_datetime\('(?&lt;lmo_date&gt;.*?):\d\d\w\'" | eval lmo_date_converted=strptime(lmo_date,"%Y-%m-%dT%H:%M") | eval daysDiff=(_time-lmo_date_converted)/86400 | rex field=_raw "(?&lt;name&gt;&lt;=\[)[^\[\]]*(?=][^\[\]]+$)" | where daysDiff &gt; 90 | stats avg(daysDiff) as "Last Modified On averege days in past", max(daysDiff) as "Max Value Of Last Modified On" by XX_Company XX_Mode | sort -"Last Modified On averege days in past" </CODE></PRE> <P>This is a working splunk query. With this, I would like to display the content from the last bracket as a column. Could you guide?</P> Mon, 10 Feb 2020 17:12:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464637#M130940 benuantony 2020-02-10T17:12:44Z Re: How to search from last occurrence of a string https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464638#M130941 <P>try adjusting your second rex: rex field=_raw <CODE>"(?&lt;name&gt;(?&lt;=\[)[^\[\]]*)(?=][^\[\]]+$)"</CODE></P> Mon, 10 Feb 2020 21:08:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464638#M130941 wneighbo 2020-02-10T21:08:19Z Re: How to search from last occurrence of a string https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464639#M130942 <PRE><CODE>| stats values(name) as name avg(daysDiff) as "Last Modified On averege days in past", max(daysDiff) as "Max Value Of Last Modified On" by XX_Company XX_Mode </CODE></PRE> <P>I fix <CODE>stats</CODE> .</P> Mon, 10 Feb 2020 22:18:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464639#M130942 to4kawa 2020-02-10T22:18:19Z Re: How to search from last occurrence of a string https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464640#M130943 <P>I just need to add a new column with my regex. The stats is already working well</P> <P>The regular expression to extract the content from last bracket is this,</P> <P>(?&lt;=[)[^[]]*(?=][^[]]+$)</P> <P>How to add this in rex &amp; show it as a column with existing query?</P> Tue, 11 Feb 2020 13:47:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464640#M130943 benuantony 2020-02-11T13:47:55Z Re: How to search from last occurrence of a string https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464641#M130944 <P>what is wrong in this?</P> Tue, 11 Feb 2020 13:49:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464641#M130944 benuantony 2020-02-11T13:49:02Z Re: How to search from last occurrence of a string https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464642#M130945 <PRE><CODE>|rex field=_raw "\[(?&lt;name&gt;.*?\,.*?)\]" </CODE></PRE> <P>simply.</P> Tue, 11 Feb 2020 20:28:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464642#M130945 to4kawa 2020-02-11T20:28:17Z Re: How to search from last occurrence of a string https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464643#M130946 <P>Do you try my last answer? <CODE>name</CODE> value is appeared.</P> Tue, 11 Feb 2020 20:29:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464643#M130946 to4kawa 2020-02-11T20:29:49Z Re: How to search from last occurrence of a string https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464644#M130947 <P>any idea?</P> Tue, 11 Feb 2020 20:41:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464644#M130947 benuantony 2020-02-11T20:41:12Z Re: How to search from last occurrence of a string https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464645#M130948 <P>Is the log format constant? If yes, the name you're trying to extract is 5th <CODE>[...]</CODE> element. Extract that base on number and add <CODE>name</CODE> to your stats-by clause.</P> Tue, 11 Feb 2020 21:17:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464645#M130948 somesoni2 2020-02-11T21:17:54Z Re: How to search from last occurrence of a string https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464646#M130949 <P>ok.. how to display the variable "name" as column in statistics? I would like to test your rex field=_raw "[(?.<EM>?\,.</EM>?)]"</P> Tue, 11 Feb 2020 21:25:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464646#M130949 benuantony 2020-02-11T21:25:26Z Re: How to search from last occurrence of a string https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464647#M130950 <P>Give this a try</P> <PRE><CODE>sourcetype=text XX_Company="*" last_modified_on index="*_test_application" | rex field=_raw "last_modified_on.*?to_datetime\('(?&lt;lmo_date&gt;.*?):\d\d\w\'" | eval lmo_date_converted=strptime(lmo_date,"%Y-%m-%dT%H:%M") | eval daysDiff=(_time-lmo_date_converted)/86400 | where daysDiff &gt; 90 | rex field=_raw "^([^\[]+\[){5}(?&lt;name&gt;[^\]]+)" | stats avg(daysDiff) as "Last Modified On averege days in past", max(daysDiff) as "Max Value Of Last Modified On" by XX_Company XX_Mode name | sort -"Last Modified On averege days in past" </CODE></PRE> Tue, 11 Feb 2020 21:37:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-from-last-occurrence-of-a-string/m-p/464647#M130950 somesoni2 2020-02-11T21:37:02Z