Interactive Field Extraction (regex)

sbnoobbb — Fri, 26 Jul 2013 03:01:22 GMT

I have my data here Xml Data, I need to extract using Splunk IFX, Generated pattern (regex).

Example 1: (22/7)19:55 Accident on ECP (towards Changi Airport) after Maxwell Rd Entrance. Avoid lane 1./d:Message
Example 2: (22/7)14:29 Accident on ECP (towards Changi Airport) before Fort Rd Exit. Avoid lane 5./d:Message
Example 3: (19/7)15:19 Accident on PIE (towards Changi Airport) before Paya Lebar Rd with congestion till Kallang Way. Avoid lane 5./d:Message

Help 1: I need to extract the express-way exits on the word after and stops at .

Help 2: I need to extract the express-way exits on the word before and stops at Exit

Help 3: I need to extract the express-way exits on the word before and stops at with

There are still a lot of examples in the Xml Data.

I did (?i) before (?P<wordafter>.[^\.]*?Exit) , this extracts the Fort Rd Exit (Example 2), this extract only before, how can I extract after ? together with this expression.

Re: Interactive Field Extraction (regex)

sbnoobbb — Fri, 26 Jul 2013 08:55:51 GMT

After hours of trying, solved by (?i) (?Pat|after|before) (?P[^.]*?(?PExit.|Rd.|Entrance.|Ave.|Avenue.|North.|[1-9].|BKE.|SLE.|CTE.|ECP.|KJE.|TPE.|PIE.|AYE.))

Re: Interactive Field Extraction (regex)

suepfarrell — Thu, 08 Aug 2013 04:27:38 GMT

Can you tell me if i and P are exactly typed like this or you substituted field names in here?

Thinking this (with changes) may be my answer

topic Re: Interactive Field Extraction (regex) in Splunk Search

Interactive Field Extraction (regex)

Re: Interactive Field Extraction (regex)

Re: Interactive Field Extraction (regex)