topic How to extract field with regex such as sentence with space in Splunk Search

How to extract field with regex such as sentence with space

syokota_splunk — Tue, 14 Nov 2017 09:02:27 GMT

Hi regex masters,
Please help me.

Below are sample xml logs.

Incident Number: 151719935
    Date Of Incident: 12/02/2015 12:00:00 AM, Time of Incident: 2040
    Area Code: 17
    Area Name: Devonshire
    Road: 1782
Incident Number: 150920551
    Date Of Incident: 12/02/2015 12:00:00 AM, Time of Incident: 2000
    Area Code: 09
    Area Name: Van Nuys
    Road: 0915

And I'd like to extract "Area Name" field then I try to use below regex.

(Area Name: )(?P<area_name>\w+)

I succeed to get the value of 1st sample log but I cannot get 2nd sample log.

How do I get not only word without space also word with space?

Re: How to extract field with regex such as sentence with space

harsmarvania57 — Tue, 14 Nov 2017 09:06:22 GMT

Hi,

Will you please try this regex (Area\sName:\s)(?P<area_name>.*) ?

Re: How to extract field with regex such as sentence with space

syokota_splunk — Tue, 14 Nov 2017 09:16:39 GMT

Match every thing after "Area Name:" also Road and Crime Code too.

Re: How to extract field with regex such as sentence with space

harsmarvania57 — Tue, 14 Nov 2017 09:20:07 GMT

Try this (Area\sName:\s)(?P<area_name>.*)\n

Re: How to extract field with regex such as sentence with space

syokota_splunk — Tue, 14 Nov 2017 09:24:49 GMT

Same issue is happen.

Re: How to extract field with regex such as sentence with space

harsmarvania57 — Tue, 14 Nov 2017 09:37:57 GMT

Based on sample data if I run below search it gives me Van Nuys only.

| makeresults 
| eval field1="Incident Number: 150920551
     Date Of Incident: 12/02/2015 12:00:00 AM, Time of Incident: 2000
     Area Code: 09
     Area Name: Van Nuys
     Road: 0915" 
| rex field=field1 "(?s)(Area\sName:\s)(?P<area_name>.*)\n"

Re: How to extract field with regex such as sentence with space

jgbricker — Tue, 14 Nov 2017 13:06:27 GMT

You could use a pattern that says anything not a colon continued and then add the colon.

[^\:]+\:

Then you can say not a new line continued [^\n]+

You would want to account for the comma. Putting it together would be something like
[^\:]+\:[^\n]+\n[^\:]+\:[^\,]+\,[^\:]+\:[^\n]+\n

You wrap the parts you want to extract and label them (?PPatternForValue)

The above pattern isnt complete I can finish it but it may help you to do that. Try using regex101.com. It explains what you are doing and finding

Re: How to extract field with regex such as sentence with space

syokota_splunk — Tue, 14 Nov 2017 13:12:19 GMT

Finally I did it. It seems raw log has none "\n" code but have "\s".
Thanks all!

Re: How to extract field with regex such as sentence with space

syokota_splunk — Tue, 14 Nov 2017 13:13:49 GMT

Yes, your search can get it. But it seems raw log has no '\n' code after "Van Nuys".
Finally I figure out by your suggestion.
I put the screen shot on new comment.

Re: How to extract field with regex such as sentence with space

harsmarvania57 — Tue, 14 Nov 2017 13:28:36 GMT

That's great, in this case you can accept your own answer so this question will be closed.