topic Re: Help with Regex - Removing Text from Field in Splunk Search

Help with Regex - Removing Text from Field

chrisschum — Wed, 30 Oct 2019 11:45:40 GMT

I have a field where results are 'some letter & number combination of 3 or 4 characters' that includes txt on the end I want to remove.

The text is made up of APSA< /ParticipantObjectQuery>< /ParticipantObjectIdentification>< /AuditMessage>".

So, how do I get rid of everything after the '3 or 4 character' value, which in this case is 'APSA'?

Thanks!

Re: Help with Regex - Removing Text from Field

gcusello — Wed, 30 Oct 2019 12:09:03 GMT

Hi chrisschum,
I could be more precise if you could share an example of your values and of the values to extract.
Anyway, if you field is called APSA, you want to extract ParticipantObjectQuery, ParticipantObjectIdentification and AuditMessage fields and an example is abc1 de2 fgh3.txt, you could use something like this:

| rex field=APSA "^(?<ParticipantObjectQuery>[^ ]*)\s+(?<ParticipantObjectIdentification>[^ ]*)\s+(?<AuditMessage>[^\.]*)"

You can test it at https://regex101.com/r/j7u1vF/1

Ciao.
Giuseppe

Re: Help with Regex - Removing Text from Field

chrisschum — Wed, 30 Oct 2019 13:15:45 GMT

Thanks Giuseppe!

I'm actually wanting to get rid of everything after the APSA (or any other 3 to 4 alphanumeric value). The field is actually already extracted as LOC.

So what I get when I run a search is LOC= "3 or 4 character alphanumeric value"< /ParticipantObjectQuery>< /ParticipantObjectIdentification>< /AuditMessage>

What I want the results to be is LOC="3 or 4 character alphanumeric value"

Thanks!

Re: Help with Regex - Removing Text from Field

gcusello — Wed, 30 Oct 2019 13:19:31 GMT

Sorry I don'r understand: could you share an example of your data and the result you want?
Ciao.
Giuseppe

Re: Help with Regex - Removing Text from Field

kartm2020 — Wed, 30 Oct 2019 14:21:03 GMT

Hi,
As per your comment, If the character is alphanumeric value. Below regex will help you extract.

| rex field=_raw "(?P[A-Z0-9]{4})"

Please correct me if my understanding is wrong.

You can test it : https://regex101.com/r/j7u1vF/1
You can change the value inside parenthesis as per your requirement( I pretend it is 4 character value)

Re: Help with Regex - Removing Text from Field

wenthold — Wed, 30 Oct 2019 14:34:26 GMT

Try this:

 | rex field=LOC "^(?<yourValue>[\w]{3,4})"

As long as the 3- to 4- character value is at the beginning of the line this should work.

Re: Help with Regex - Removing Text from Field

chrisschum — Wed, 30 Oct 2019 14:43:38 GMT

That worked! Thanks!