topic Re: Regex Help! in Splunk Search

Regex Help!

shri_27 — Tue, 01 Apr 2014 11:09:17 GMT

Hi All,

I have a field whose values look like value1>value2>value3!!

Now i want to extract only value3 using rex!

I am not getting how to do that, Please help!

Thanks in advance:-)

Re: Regex Help!

MuS — Tue, 01 Apr 2014 11:21:09 GMT

Hi shri_27,

if your data always looks like this one line example and your needed value is always at the last/3rd place like in the one line example, you can use something like this:

... | rex "(.+>){2}(?<myValue>.+)" | ...

this will give you myValue=value3

cheers, MuS

Re: Regex Help!

gfuente — Tue, 01 Apr 2014 11:22:03 GMT

Hello

Try this

... | rex "((\w|\s)+\>){2}\s(?<value3>(\w|\s)+)" |...

It would be good to have some real examples, to see what pattern should we look for, but this may work.

Regards

EDIT: Updated rex

Re: Regex Help!

shri_27 — Tue, 01 Apr 2014 11:33:56 GMT

System Campus > Common Domain > Common Domain Park

Re: Regex Help!

shri_27 — Tue, 01 Apr 2014 11:35:32 GMT

real value above! Not able to extract value3 from both the rex expressions

Re: Regex Help!

shri_27 — Tue, 01 Apr 2014 11:36:02 GMT

i want to extract only Common Domain Park

Re: Regex Help!

gfuente — Tue, 01 Apr 2014 11:36:57 GMT

It is because of the white spaces, let me update the regex

Re: Regex Help!

shri_27 — Tue, 01 Apr 2014 11:53:00 GMT

That worked:-) Thanks

Re: Regex Help!

shri_27 — Mon, 28 Sep 2020 16:17:12 GMT

Olympic_foh_Main-Stadium > Main-Stadium Concession > Concession Areas

surprisingly am not able to extract 3rd value for this example!!

Re: Regex Help!

shri_27 — Tue, 01 Apr 2014 12:17:22 GMT

Got it!! Need to add |- between \w|\s..
Thanks again:-)

Re: Regex Help!

Rob — Wed, 02 Apr 2014 06:28:33 GMT

While that regex works, you might want to try improving it a little so it performs a bit better.

E.g. consider

(\w|\s)+

vs.

[\w\s]+

As you discovered, the hyphen messes things up a little. You may want to try something such as the following:

(?:[^>]+>){2}\s*(?<value3>.+)

If there are any characters after the value3 field, then you may want to use that to anchor the end of the extraction. Something like:

(?:[^>]+>){2}\s*(?<value3>.+)\b

Should help.

If value3 is always at the end of the string, something very simple such as:

.*>\s(?<value3>.+)

Will work very well.

Re: Regex Help!

sbrant_splunk — Fri, 04 Apr 2014 06:24:52 GMT

Another option (if the 3rd value is always at the end of the record):

(?<value3>[^\>]+)(?=$)

Re: Regex Help!

vqd361 — Tue, 08 Apr 2014 22:36:27 GMT

This will get the last value:

rex ">(?<lastvalue>[^>]+?)!!$"