topic Re: regex address in Splunk Search

regex address

CyberWolf — Fri, 06 Dec 2024 13:53:34 GMT

im trying to capture address, city and state that are in one line but they have ", : and ,
i would like to excluede (Quotes Coma and Colon)
see test example below

12345 noth test Avenue","city":"test","state":"test",

Re: regex address

richgalloway — Fri, 06 Dec 2024 14:32:29 GMT

Are you trying to capture the data in a single field or multiple fields? Is this to be done at index time or search time?

Re: regex address

gcusello — Fri, 06 Dec 2024 14:33:37 GMT

Hi @CyberWolf ,

if the logs you have, you can use a regex like the following:

| rex "^[^,]+,\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"

that you can test at https://regex101.com/r/ZafgnI/1

I'd be more detailed if you can share a complete log, not onl a part of it.

Ciao.

Giuseppe

Re: regex address

dural_yyz — Fri, 06 Dec 2024 14:34:50 GMT

Creating the regex would be easy enough but it looks like your data is already coming in JSON or XML format. Is there a chance that the fields are already extracted as "city" and "state"? If not then I would recommend revisiting the ingestion props as a best practice. Rather than creating a lot of regex at search time if you had that field extraction during indexing then any changes to data would auto extract new fields.

.*\"city\"\:\"(?<city>[^\"]+)\"\,\"state\"\:"(?<test>[^\"]+)

Re: regex address

CyberWolf — Fri, 06 Dec 2024 15:42:39 GMT

thanks but i think i wasn't clear what im trying to do is that all that to be in one field called (?<address>) not separated with city and state

Re: regex address

gcusello — Fri, 06 Dec 2024 15:45:00 GMT

Hi @CyberWolf ,

let me understand, you want only one field, called address containing city and state, is it correct?

in this case, please try this:

<your_search> | rex ".*\"city\"\:\"(?<city>[^\"]+)\"\,\"state\"\:"(?<test>[^\"]+)" | eval address=state." ".city

Ciao.

Giuseppe

Re: regex address

CyberWolf — Fri, 06 Dec 2024 15:46:03 GMT

correct it comes in json and i dont have control of it, but im trying to have is address city and state to be all in the field and ignore coma quotes and :

Re: regex address

CyberWolf — Fri, 06 Dec 2024 15:47:03 GMT

all in a single field so i can used later to dc (distinguish count)

Re: regex address

CyberWolf — Fri, 06 Dec 2024 16:10:10 GMT

example from the raw logs:
"address":"1234 Nothing 2C Avenue","city":"something","state":"RD"

would like to have field name Address
Address
1234 Nothing 2C Avenue City something state RD

all that in one field so ignore the " , and :

What i have
index=something
| rex field=_raw "address\"\:\"(?<address>.*?)\"\,\"
which shows field name:
address
1234 Nothing 2C Avenue","city":"something","state":"RD"

Re: regex address

gcusello — Fri, 06 Dec 2024 17:03:15 GMT

Hi @CyberWolf ,

please try:

<your_search> | rex "^\"address\":\"(?<address>[^\"]+)\",\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)" | eval address=address." City ".city." state ".state

Ciao.

Giuseppe

Re: regex address

CyberWolf — Fri, 06 Dec 2024 17:16:21 GMT

Thank you all it worked! (Grazie mile!) YEAHHH