topic Re: How to split and retrieve a value ? in Splunk Search

How to split and retrieve a value ?

zacksoft — Thu, 04 Jan 2018 12:27:18 GMT

I think we may need regex for this and I am not good at it.
I need to be able to extract the last part i.e. (TMNT-1752) from the below string . In some cases the numeric part could be three or more digits too like CMNU-112 or NT=1223 etc or TURC-12223. I think I want the part that comes after selectedIssue=.

https://phut.mayhem.com/secure/JapidJoard.jspa?rapidView=12339&view=detail&selectedIssue=TMNT-1752

Re: How to split and retrieve a value ?

harsmarvania57 — Thu, 04 Jan 2018 12:34:08 GMT

Hi @zacksoft,

Please try <yourBasesearch> | rex ".*=(?<value>.*)" this will extract TMNT-1752 into new field value

Here is run anywhere search, first 2 lines generating dummy data only.

| makeresults 
| eval _raw="https://phut.mayhem.com/secure/JapidJoard.jspa?rapidView=12339&view=detail&pelectedIkkue=TMNT-1752" 
| rex ".*=(?<value>.*)"

Re: How to split and retrieve a value ?

p_gurav — Thu, 04 Jan 2018 12:37:18 GMT

Hi zacksoft,

In example string is "pelectedIkkue=" constant? If yes then you can try below one:

| rex field=_raw "selectedIssue\=(?P<field1>.+)"

Re: How to split and retrieve a value ?

zacksoft — Thu, 04 Jan 2018 12:39:12 GMT

Yes, that is constant. The only value that changes is 'TMNT-1752'. It could be something like ABC-1233 or ABFD-121 etc...

Re: How to split and retrieve a value ?

zacksoft — Thu, 04 Jan 2018 12:41:52 GMT

If I try this , where will it extract TMNT-1752 to ?
I need to able to use the value and put it in a table.

Re: How to split and retrieve a value ?

p_gurav — Thu, 04 Jan 2018 12:43:51 GMT

it will extract into "field1".. which you can use in the search

Re: How to split and retrieve a value ?

zacksoft — Thu, 04 Jan 2018 12:43:59 GMT

There is another "=" sign before "rapidView". But I don't want that value. I only want the last one that comes after 'selectedIssue='

Re: How to split and retrieve a value ?

harsmarvania57 — Thu, 04 Jan 2018 12:46:12 GMT

Can you please post your full event instead of part of event so that we can write regex properly.

Re: How to split and retrieve a value ?

zacksoft — Thu, 04 Jan 2018 12:46:58 GMT

@p_gurav
Actually it's not _raw. The entire string itself is stored in a field caleld "url".
What changes do I make for that ?

Re: How to split and retrieve a value ?

p_gurav — Thu, 04 Jan 2018 12:49:03 GMT

Then used below:

 | rex field=url "selectedIssue\=(?P<field1>.+)"

Re: How to split and retrieve a value ?

zacksoft — Thu, 04 Jan 2018 12:49:26 GMT

The string itself is extracted from _raw and stored in a field called 'url'.
And url field is as follows. I need the string that is present after 'selectedIssue='

https://phut.mayhem.com/secure/JapidJoard.jspa?rapidView=12339&view=detail&selectedIssue=TMNT-1752"

Re: How to split and retrieve a value ?

zacksoft — Thu, 04 Jan 2018 12:57:13 GMT

A small change ... I see in some of the strings there are some values that are present after TMNT-1752 and they begin with '&' and that messes up the extract. Can I filter those ?

Example : https://phut.mayhem.com/secure/JapidJoard.jspa?rapidView=12339&view=detail&selectedIssue=TMNT-1752&myReq=1234somethingsomething

The current query's output is "TMNT-1752&myReq=1234somethingsomething"

Can we just get the part present between "selectedIssue=" and "&"

Re: How to split and retrieve a value ?

p_gurav — Thu, 04 Jan 2018 13:02:22 GMT

Then try this, It will create field called value which you can use in search:

  | rex field=url "selectedIssue\=(?<value>(([^\&]+)|(.+)))"

    | rex field=_raw "selectedIssue\=(?<value>(([^\&]+)|(.+)))"

Re: How to split and retrieve a value ?

DavidHourani — Thu, 04 Jan 2018 13:16:22 GMT

Hi man,

This should work for you :

  | rex field=url "selectedIssue\=(?<value>[^\&]+)"

Best regards,
David

Re: How to split and retrieve a value ?

zacksoft — Thu, 04 Jan 2018 13:32:07 GMT

What if the string I am looking for is between "selected=" and "&"

example : selectedIssue=TWNT1752&
selectedDefect=TMNT1752
selectedGarfi=TMNT1234
selectedEpic=TMNT1234

How do I extract it ?

Re: How to split and retrieve a value ?

p_gurav — Thu, 04 Jan 2018 13:39:01 GMT

Hi,

Can you try this :

  | rex field=url "selected\w+=(?<value>(([^\&]+)|(.+)))"

  | rex field=_raw "selected\w+=(?<value>(([^\&]+)|(.+)))"

Re: How to split and retrieve a value ?

zacksoft — Thu, 04 Jan 2018 13:45:18 GMT

Thanks @p_gurav

Re: How to split and retrieve a value ?

p_gurav — Thu, 04 Jan 2018 13:47:19 GMT

Welcome. 🙂

Re: How to split and retrieve a value ?

DavidHourani — Thu, 04 Jan 2018 13:59:53 GMT

Ah from what I read I saw you needed selected issue only.

Simplest form is:

  | rex field=url "selected\w+=(?<value>[^\&]+)"

Re: How to split and retrieve a value ?

nikita_p — Thu, 04 Jan 2018 14:16:08 GMT

Hi @,
I think the regex above should work for you but still if it's not you can try below regex.
index=xyz | rex field=url "\"(selected\w+)\"[=]*(?P(([^&]+)|(.+)))\""