topic Re: Help with RegEX in Splunk Search

Help with RegEX

ahogbin — Tue, 24 Mar 2015 04:07:30 GMT

Hello to all..

I am attempting (partially succesfully so far) to extract some text. The problem I am having is that it is also extracting unwanted text past the vaue I am (obviously incorrectly) specifying as the end point.

The string I am trying to extract is (in this example) ALEXANDRIA
ALEXANDRIA (attempting to extract the text between > and <)

The expression I am using is
rex field=_raw "\(?\S+)\<"

However, when I run the search, I also get the proceeding text in the returned value below:
ALEXANDRIANSW2015AUAustralia

As I say it is sort of working but I am unsure as to how to instruct the expression to stop at the < after the suburb name.

Any help or pointers will be gratefully accepted.
---update--
The input string is

<mm:SuburbName>ALEXANDRIA</mm:SuburbName>

The suburb will vary

The output I am getting is

ALEXANDRIA</mm:SuburbName><mm:StateOrProvinceCode>NSW</mm:StateOrProvinceCode><mm:PostalCode>2015</mm:PostalCode><mm:CountryCode>AU</mm:CountryCode><mm:CountryName>Australia</mm:CountryName>

Cheers all.

Alastair

Re: Help with RegEX

ramdaspr — Tue, 24 Mar 2015 04:14:35 GMT

Can you share a sample of the data set you are trying to work with?

Please enclose the example within the code sample (5th button on the textbox toolbox) so that the brackets arent removed.

Re: Help with RegEX

ahogbin — Tue, 24 Mar 2015 04:17:37 GMT

Hello...

Sorry was just trying to work out how to do that 🙂

The expression I am using is rex field=_raw "\(?\S+)\<" and the output I am getting is
ALEXANDRIANSW2015AUAustralia

Hope this is as needed

Re: Help with RegEX

ahogbin — Tue, 24 Mar 2015 04:18:43 GMT

Arrgghh.. will try again

RegEx = "rex field=_raw "\(?\S+)\<""

Output

"ALEXANDRIANSW2015AUAustralia"

Re: Help with RegEX

ramdaspr — Tue, 24 Mar 2015 04:19:33 GMT

We would need to see the input event so that we can help with the regex query.

Re: Help with RegEX

ahogbin — Tue, 24 Mar 2015 04:19:51 GMT

Sorry... cannot get the RegEx string to display. Have tried using both and "`" but the string keeps getting chopped off.

Any other suggestions ?

Re: Help with RegEX

ahogbin — Tue, 24 Mar 2015 04:23:14 GMT

`rex field=_raw  "\<mm\:SuburbName+\>(?<Suburb>\S+)\<"`

Re: Help with RegEX

ahogbin — Tue, 24 Mar 2015 04:25:26 GMT

The input string is

<mm:SuburbName>ALEXANDRIA</mm:SuburbName>

The suburb will vary

The output I am getting is

ALEXANDRIA</mm:SuburbName><mm:StateOrProvinceCode>NSW</mm:StateOrProvinceCode><mm:PostalCode>2015</mm:PostalCode><mm:CountryCode>AU</mm:CountryCode><mm:CountryName>Australia</mm:CountryName>

Re: Help with RegEX

ahogbin — Tue, 24 Mar 2015 04:26:48 GMT

So I am trying to extract the text string between > and < in this case ALEXANDRIA

Re: Help with RegEX

leathej1 — Tue, 24 Mar 2015 04:34:21 GMT

Let me introduce you to my personal savior: RegEx101.com

(?i)SuburbName\>(?P\w+)\<

Re: Help with RegEX

ramdaspr — Tue, 24 Mar 2015 04:34:51 GMT

Try with this. Seems to work for the same data you have.

rex field=t "\<mm\:SuburbName\>(?<suburb>\w+)\<.*"

Re: Help with RegEX

ahogbin — Tue, 24 Mar 2015 04:44:39 GMT

Fantastic... thank you very much for your help and sorry for the confusion in getting the required data posted 🙂

Cheers.

Alastair

Re: Help with RegEX

ahogbin — Tue, 24 Mar 2015 04:45:44 GMT

Thank you for the site link... this will definitely come in handy.

Cheers,
Alastair

Re: Help with RegEX

ppablo — Tue, 24 Mar 2015 04:48:18 GMT

In addition to @leathej1's resource, this previous Answers post has a bunch of great regex sites as well in case you're interested.
http://answers.splunk.com/answers/153171/is-there-any-online-regex-tool-to-create-regular-e.html

Re: Help with RegEX

ramdaspr — Tue, 24 Mar 2015 06:10:32 GMT

Missed something quite important, the suburb name could include a space which the above answer will not accept as a valid input.

rex field=_raw "\<mm\:SuburbName\>(?<suburb>[a-zA-Z ]*)\<.*"

Should work better as a solution there is a space between Z and ] to allow whitespace as an acceptable value in the Suburb Name.

Re: Help with RegEX

ahogbin — Tue, 24 Mar 2015 22:52:24 GMT

Ah.. yes that is better.. I was wondering why there were no suburbs appearing with more than one name component.
Thank you so much again fro all your help.
Cheers
Alastair

Re: Help with RegEX

ahogbin — Tue, 24 Mar 2015 22:53:10 GMT

An excellent page full of rather good resources.
Thank you for providing this.
Cheers,

Alastair