topic How to extract the field by using regex? in Splunk Search

How to extract the field by using regex?

Peru123 — Thu, 08 Dec 2022 19:34:39 GMT

Hi , I need to extract the value FISOBPIT10101 from the below lines.

message:PSUS7|8897|FISOBPIT10101|OWA|8897|8897|SignOnID|SPT|adding routing key in producer

Re: How to extract the field by using regex

StefanoA — Thu, 08 Dec 2022 13:10:57 GMT

You could go with | erex , if you're not expert with RegExs.

Otherwise, assuming the value is always in that position and not assuming a specific set of alphanumeric values, go with the following (13 steps per log, very efficient)

| rex field=<yourFieldOr_raw> "^(?:[^\|\v]*+\|){2}(?<yourValue>[^\|\v]*)"

Re: How to extract the field by using regex

ITWhisperer — Thu, 08 Dec 2022 13:11:10 GMT

| rex "([^|]+\|){2}(?<field>[^|]+)"

https://regex101.com/r/UTPJb4/1

Re: How to extract the field by using regex

Peru123 — Thu, 08 Dec 2022 13:47:12 GMT

Hi , I need this value only FISOBPIT10101

Re: How to extract the field by using regex

ITWhisperer — Thu, 08 Dec 2022 13:50:03 GMT

| rex "([^|]+\|){2}(?<field>FISOBPIT10101)"

Re: How to extract the field by using regex?

yuanliu — Fri, 09 Dec 2022 04:33:08 GMT

Depending on whether the leading phrase "message" and the trailing phrases such as "adding routing key in producer" are important, you can use rex or just

If those phrases are unimportant, use split. It is more efficient.

| eval of_interest = mvindex(split(your_field, "|"), 2)

If the first phrase and the last are important,

| rex field=your_field "message:(\d+|){2}(?<of_interest>\w+)(|\d+){5}|adding routing key in producer"