topic Interactive Field Extraction (IFX) (Regex) in Splunk Search

Interactive Field Extraction (IFX) (Regex)

kailun92 — Wed, 24 Jul 2013 06:50:32 GMT

Original message <d:Message>(22/7)17:53 Accident on AYE (towards Tuas) after Jurong Port Rd Exit. Avoid lanes 2 and 3.</d:Message>

My XML at here Xml Data. How to extract all the exits only (e.g. Jurong Port Rd Exit) ?

I needed all the accident extracted by generated regex expression Interactive Field Extraction (IFX) feature

I am currently using Generated pattern (regex) of (?i)Area>(?P[^<]+).
It extracted this:

Re: Interactive Field Extraction (IFX) (Regex)

paddygriffin — Wed, 24 Jul 2013 12:50:23 GMT

you can modify the generated regex in Manager>Fields>Field Extractions, or better to make a new one using the existing one as a starting point [don't forget to also change the field name in the updated regex].
If I'm interpreting your goal correctly [extract exit name], one way would be to provide more context pattern in the regex, so for example it looks like each exit name is always preceded by before | till | at | beyond [maybe others] and ends with Exit. and you want to extract all characters between those two patterns.

Re: Interactive Field Extraction (IFX) (Regex)

bmacias84 — Wed, 24 Jul 2013 15:35:37 GMT

probably little more that you wanted. I cant see the XML since its blocked for me.



<d:Message>\(\d+/\d+\)\d\d:\d\d\s(?<eventtype>[^\s]+)\son\s(?<location>[^\(]+)\s\((?<direction>[^\)]+)\)\safter\s(?<area>[^\.]+)

If your useing IFX might looks something like this.



<d:Message>\(\d+/\d+\)\d\d:\d\d\s(?<field1>[^\s]+)\son\s(?<field2>[^\(]+)\s\((?<field3>[^\)]+)\)\safter\s(?<field4>[^\.]+)

The return fields:

eventtype=Accident
location=Aye
direction=toward Tuas
area=Jurong Port Rd Exit

I've tested it with the sample give above.

Hope this helps or gets you started.