topic Re: How to create a field with more complicated values to be extracted? in Splunk Search

How to create a field with more complicated values to be extracted?

gilbxrtx_7 — Tue, 29 Sep 2020 19:12:30 GMT

I want to extract the text in square brackets to create it as a field. However like my previous problem I had the field extraction error.

I am new to regular expressions and am not sure on how it is done, would appreciate any help to help me with the regex for this. Thank you.

Sample of the texts to be used for extraction:
<37>1 2018-04-12T02:46:13Z ET0021B747DAEC auth 0 [event101@641 SessionId="34.uUnn74R4Z7DGp" Auth_Method="Username" Username="deleteUser" UniqueUserId="a995a58e-b44f-4ebc-a7f8-f208bb46a692" Fullname="deleteUser"] Updated group selections for user: 'deleteUser'

<37>1 2018-04-16T06:03:24Z ET0021B747DAEC settings 0 [event240@641 SessionId="6hbDLUPiY5KfoYaV" SettingName="" Setting_Old_Value="0" Setting_New_Value="1"] changed id 25464

<37>1 2018-04-16T06:23:25Z ET0021B747DAEC auth 0 [event243@641 SessionId="U3Ur2rt.7LbzBYHh"] Session has logged out due to timeout.

<37>1 2018-04-16T05:47:23Z ET0021B747DAEC jobmanager 0 [event233@641 JobId="9" Job_Type="DataStreamWorkflow"] Job Cancelled:

Regardless of the length of the text in square bracket, I would want them to be able to be added as a field.

Re: How to create a field with more complicated values to be extracted?

richgalloway — Tue, 24 Apr 2018 03:19:46 GMT

Regular expressions aren't that hard, once you get used to them. A good site for experimenting with regexes is regex101.com.

This one should work for your sample data. It looks for a left bracket then takes everything that is not a right bracket and puts it into a field called "squareText". Of course, you can call the field anything you like.

"\[(?<squareText>[^\]]*)\]"

Re: How to create a field with more complicated values to be extracted?

woodcock — Tue, 24 Apr 2018 03:21:25 GMT

Like this:

... | rex "\[(?<bracket_stuff>[^\]]+)"

Re: How to create a field with more complicated values to be extracted?

woodcock — Tue, 24 Apr 2018 03:22:13 GMT

Beat me by 1 minute but I like mine better!

Re: How to create a field with more complicated values to be extracted?

gilbxrtx_7 — Tue, 24 Apr 2018 03:46:26 GMT

thanks for your suggestion, but when I copied and pasted it into regex101.com it stated that the regex got error. I prefer a regex that is meant to be created and stay permanent since I am creating a field, not to search in the search bar
when I copied and paste into search bar I dont see any highlighted text either
@woodcock

Re: How to create a field with more complicated values to be extracted?

gilbxrtx_7 — Tue, 24 Apr 2018 03:48:31 GMT

I copied and pasted your suggested regex into regex101.com but it says the following error: incomplete group structure with the (?...) parentheses and question mark. Also I would want the regex that is used for creating fields, not to be entered in search bar
When i copied and pasted into search bar I dont see any highlighted text with the square brackets either
@richgalloway

Re: How to create a field with more complicated values to be extracted?

gilbxrtx_7 — Tue, 24 Apr 2018 04:01:14 GMT

@richgalloway I added a letter 'P' right after the question mark and it worked, however it only highlighted the first sample text and did not for the subsequent texts

Re: How to create a field with more complicated values to be extracted?

Shan — Tue, 24 Apr 2018 11:01:34 GMT

Hai ,

Use the below regex syntax.

you will exactly get the data in square bracket. I have tested with above sample data provided by you.

[[a-zA-Z0-9@="-._\s\]*

Re: How to create a field with more complicated values to be extracted?

woodcock — Tue, 24 Apr 2018 15:26:59 GMT

You tested it wrong; see here:

https://regex101.com/r/npR95w/1

You can save this as a permanent KO by going to Settings -> Fields -> Field extractions -> New.

Re: How to create a field with more complicated values to be extracted?

Shan — Wed, 25 Apr 2018 04:57:32 GMT

@gilbxrtx_7 - You have multiple correct answers. Kindly test it. Accept the answer and close the question..