topic Extract a string in Splunk Search

Extract a string

ashu_g50 — Mon, 28 Sep 2020 13:04:13 GMT

Hi we log the data in splunk as below

we have a field called controlFiles="m_ifs_swr_d_1.20130103.cntl.txt"

I have the query to extract the control file as its a variable but what I want is just the 1st part
m_ifs_swr_d_1 and not 20130103.cntl.txt.

now the 1st and the 2nd part are not of fixed length but can be maximum 3
what I mean is the format for the control file is

....

now filename can be part1 or part2 or part3 usually its two parts. but the only constant in the format is .cntl even the file type may or may not be present (usually its not) so I want to extract anything thats before the .cntl

how can I achieve this.

Re: Extract a string

kristian_kolb — Wed, 09 Jan 2013 13:28:19 GMT

If you only want the text up to, but not including the first dot (.) - which seems to be the pattern here - you can do it inline through a rex statement.

your search | rex field = controlFiles "(?<ctrlfile>[^.]+)\." | the rest of your search

That gives you a new field called ctrlfile that only contains the first part.

If you want the field to contain everything (including dots) but date.cntl.txt, you could try:

your search | rex field = controlFiles "(?<ctrlfile>.*)\.\d{10}\.cntl\.txt" | the rest of your search

You probably understand how to take if from here if these patterns are not correct. If not, ask for a clarification.

Hope this helps,

Kristian

Re: Extract a string

gfuente — Wed, 09 Jan 2013 15:38:36 GMT

Hello

Here you have another option:
Regular Expression:
controlFiles="(?\w*).(?\w+)?.?(?\w+)?.?\d+.cntl.\w+"

Splunk Command:

... | rex field = controlFiles "controlFiles="(?\w*).(?\w+)?.?(?\w+)?.?\d+.cntl.\w+"" | ...

I tried it with RegExRX and it works for me

Try it and let me know if it doesn´t work for you

Regards