topic Rex to match fields until particular string in Splunk Search

Rex to match fields until particular string

slipinski — Tue, 05 May 2020 15:31:01 GMT

Hi,

I'm using expression: (?ms)book.(?\d{7}-\d) to extract some numbers from this input (thanks @to4kawa ) :

" new contributors: Set(book.1272473-1, book.1272472-1, book.1272477-1), removed contributors: Set(book.1271398-1, book.1271397-1)".

This gives me all 5 numbers (1272473, 1272472, 1272477, 1271398, 1271397), but I'm interested only in numbers before keyword "removed" (1272473, 1272472, 1272477). Please bear in mind, there could be from 1 to 5 strings in "new contribution" section and I would like to extract all of them.

Thanks is advance,
Szymon

Re: Rex to match fields until particular string

to4kawa — Tue, 05 May 2020 15:50:55 GMT

UPDATE:
use 2 rex

| makeresults 
| eval _raw="new contributors: Set(book.1272473-1, book.1272472-1, book.1272477-1), removed contributors: Set(book.1271398-1, book.1271397-1)" 
| rex "(?<new>.*), removed" 
| rex field=new max_match=0 "(?ms)book.(?<book>\d{7}-\d)"

Re: Rex to match fields until particular string

slipinski — Tue, 05 May 2020 18:05:06 GMT

Correct me if I'm wrong, but your query will extract fields after "removed" string and I would like to extract fields before it.