topic Re: rex - Extracting a string in Splunk Search

rex - Extracting a string

jrowland1230 — Thu, 20 Jun 2024 12:22:42 GMT

I want to exact a string 'GUID" from the log right after "customers". This regex expression works in https://regex101.com/ but not in Splunk. My field name is log:

2023-06-19 15:28:01.726 ERROR [communication-service,6e72370er2368b08,6e723709fd368b08] [,,,] 1 --- [container-0-C-1] c.w.r.acc.commservice.sink.ReminderSink : Reminder Message processed, no linked customers aaf60d69-99a9-41f5-a081-032224284066

| rex field=log "(?<cids>).*customers\s(.*)"

Re: rex - Extracting a string

P_vandereerden — Wed, 19 Jun 2024 23:49:26 GMT

Did you want cids to contain that GUID?

Try

| rex field=log ".*customers\s(?<cids>.*)"

Alternatively, if the GUID is always at the end, following a space, you can even drop the "customers" part:

| rex field=log "(?<cids>\S+$)"

Your example appears to be creating a capture group named "cids" that captures nothing (the first set of parentheses), and then a second non-capturing group that matches what you want (the second set of parentheses).
This document might help explain in more detail:
https://docs.splunk.com/Documentation/SCS/current/Search/AboutSplunkregularexpressions#Capture_groups_in_regular_expressions

Re: rex - Extracting a string

jrowland1230 — Thu, 20 Jun 2024 12:19:05 GMT

Thank you. I was close ugh.

Re: rex - Extracting a string

jrowland1230 — Thu, 20 Jun 2024 12:21:54 GMT

So to clarify the <cids> is the placeholder for the values produced from the regex AND also the placement is where the actual value would be contained in the string, i.e. Log field?

Re: rex - Extracting a string

P_vandereerden — Thu, 20 Jun 2024 15:22:11 GMT

Yes. You can name multiple capture groups in one rex statement.

e.g.

| rex field=my_field "foo:\s+\"(?<first_capture>[^\"]+)\",\s+bar:\s+(?<second_capture>[^\"]+)"