topic Re: How to pull one variable with multiple changing values? in Splunk Search

How to pull one variable with multiple changing values?

aohls — Thu, 15 Jun 2017 12:04:44 GMT

I have for example something as follows, "Request X|Y|Z" where X, Y, and Z all change each time the message is displayed. In this case I only want to review value Z. I was thinking something like the following:

rex (?<num1>\d)|(?<num2>\d)|(?<num3>\d), but I am not getting he results back as expected. What would be the best way to handle this?

Re: How to pull one variable with multiple changing values?

yuanliu — Thu, 15 Jun 2017 15:40:25 GMT

The vertical bars (|) in your events are literal, but when you use them in regex as shown, they become logical ORs. You need to escape such special characters if they are literal.

rex (?<num1>\d)\|(?<num2>\d)\|(?<num3>\d)

In fact if you are only interested in Z, you don't have to extract num1 and num2.

Re: How to pull one variable with multiple changing values?

aohls — Thu, 15 Jun 2017 17:58:09 GMT

Would I need to add anything to account for blank space?

Re: How to pull one variable with multiple changing values?

yuanliu — Thu, 15 Jun 2017 18:21:13 GMT

Yes, if your data contains blank spaces, you need to account for them.

Re: How to pull one variable with multiple changing values?

woodcock — Thu, 15 Jun 2017 23:21:42 GMT

Try this:

... | rex "(?<thing1>[^\|]+)|(?<thing2>>[^\|])|(?<thing3>>[^\|])"

Re: How to pull one variable with multiple changing values?

DalJeanis — Fri, 16 Jun 2017 11:38:07 GMT

regex101.com is your friend. You can put an example text value to extract, and your regular expression, into the screen and it will show you what happens.

It's not always perfect in its match with what splunk will do, but in this case it would have taught you that the | needed to be \|.