topic Re: Rex field extraction in Splunk Search

How to extract this string?

chanhee1 — Tue, 18 Apr 2023 08:59:06 GMT

There are two types of raw data. What is the regular expression to get the value between the /* special symbol and the */ special symbol in the raw data?

I tried this regex but it doesn't work

rex field=query "^[^/\n]*/\*(?P<test>[^\*]+)"

DATA1

SELECT /*4/18 test */ DRTA_SEQ\r\n FROM DATA_REQ_LIST\r\n WHERE DATE < TO_DATE('2023-04-18 06:00:00', 'YYYY-MM-DD HH24:MI:SS')\r\n

DATA2

with my_index as (\n select index_name from ALL_indexes where table_owner = :1 \n /* test select index_name from CHAN_indexes where table_owner = :schema_name and table_name in ( :[*object_names] )\n *//* test select * from Chanlist */

I want this string to be extracted

DATA1

4/18 test

DATA2

test select index_name from CHAN_indexes where table_owner = :schema_name and table_name in ( :[*object_names] )\n

test select * from Chanlist

Re: Rex field extraction

manjunathmeti — Tue, 18 Apr 2023 06:23:49 GMT

hi @chanhee1 ,

Try this:
Updating the answer with @ITWhisperer regex.

| makeresults | eval query="SELECT /*4/18 test */ DRTA_SEQ\r\n FROM DATA_REQ_LIST\r\n WHERE DATE < TO_DATE('2023-04-18 06:00:00', 'YYYY-MM-DD HH24:MI:SS')\r\n" | append [| makeresults | eval query=" with my_index as (\n select index_name from ALL_indexes where table_owner = :1 \n /* test select index_name from CHAN_indexes where table_owner = :schema_name and table_name in ( :[*object_names] )\n *//* test select * from Chanlist */"] | rex max_match=0 field=query "\/\*\s?(?<test>.+)(?>\*\/)" | mvexpand test

Re: Rex field extraction

ITWhisperer — Tue, 18 Apr 2023 06:10:30 GMT

| rex max_match=0 "\/\*(?<value>.+?)(?>\*\/)"

Re: Rex field extraction

yuanliu — Tue, 18 Apr 2023 06:26:19 GMT

Assume that your data field is named data,

| rex field=data "^[^/]*(?<data_a>.+/)[^/]*$" | eval data_a = split(data_a, " */") | eval data_a = mvmap(data_a, replace(data_a, "/\* *", ""))