topic Re: How do I use regex to extract value in parenthesis preceded by parenthesis? in Splunk Search

How do I use regex to extract value in parenthesis preceded by parenthesis?

aramakrishnan — Thu, 24 Sep 2015 21:56:39 GMT

I have the following log(s) from which I want to extract the value inside the parenthesis. The parenthesis field is preceded by 2 other values in parenthesis, and is followed by the statement "No activation date"

{2015-09-24} {465456] [N1234SYS04] No activation date and no log bytes available.

I would like to extract the value in the 3rd paranethesis (i.e. N1234SYS04) as it is a valuable ID field that is not getting parsed into a field on Splunk. I'd like to use the regex command but I'm not sure what my syntax should be (rex field = _raw(......))

Any help would be great. Thanks!

Re: How do I use regex to extract value in parenthesis preceded by parenthesis?

MuS — Thu, 24 Sep 2015 22:01:16 GMT

Hi aramakrishnan,

you can try this regex:

your base search here | rex field=_raw "\[(?<ID>[^\]]*)" | do further splunk fu with ID

Hope this helps ...

cheers, MuS

Re: How do I use regex to extract value in parenthesis preceded by parenthesis?

aramakrishnan — Thu, 24 Sep 2015 22:06:54 GMT

This extracts the field but the issue is that there are actually 2 other fields that are preceded by the field I want, which also have the same format i.e. [2015-09-24][465456][N1234SYS04]. Using the rex syntax you provided pulls information from the first one, but I want it from the 3rd parenthesis (i.e. I want the field to only show N1234SYS04, but currently its showing 2015-09-24). How can I specify which parenthesis I want to start the extraction from?

Re: How do I use regex to extract value in parenthesis preceded by parenthesis?

MuS — Thu, 24 Sep 2015 22:18:22 GMT

tested and working with this regex:

/opt/splunk/bin/splunk cmd pcregextest mregex="(\[[^\]]*\]){2}\[(?<ID>[^\]]*)" test_str="[2015-09-24][465456][N1234SYS04]. 
> "

Original Pattern: '(\[[^\]]*\]){2}\[(?<ID>[^\]]*)'
Expanded Pattern: '(\[[^\]]*\]){2}\[(?<ID>[^\]]*)'
Regex compiled successfully. Capture group count = 2. Named capturing groups = 1.
SUCCESS - match against: '[2015-09-24][465456][N1234SYS04]. 
'

#### Capturing group data ##### 
Group |            Name | Value
--------------------------------------
    1 |                 | [465456]
    2 |              ID | N1234SYS04

so use it like this:

your base search here | rex field=_raw "(\[[^\]]*\]){2}\[(?<ID>[^\]]*)" | ...

Re: How do I use regex to extract value in parenthesis preceded by parenthesis?

wrangler2x — Thu, 24 Sep 2015 22:36:53 GMT

The original example you gave shows {} for the first, {] for the second, and [] for the third. With that data sample @Mus rex would work perfectly.

If in fact you have [] [] [] then you can modify Mus rex this way:

... | rex field=_raw "\[.*?\]\s+\[.*?\]\s+\[(?<ID>[^\]]*)" | stats count by ID

Re: How do I use regex to extract value in parenthesis preceded by parenthesis?

aramakrishnan — Thu, 24 Sep 2015 22:39:48 GMT

Thank you so much @wrangler2x and @Mus. That worked perfectly.