topic Re: regex TEXT in Splunk Search

regex TEXT

tb582 — Tue, 10 Apr 2012 01:19:18 GMT

Hopufully a quick one but I'm looking to search and extract anything between two these fields TEXT anyone know how?

Re: regex TEXT

dwaddle — Tue, 10 Apr 2012 01:52:38 GMT

The extraction is simple:

| rex "<title>(?<title_text>.*)</title>"

The searching part I'll leave as an exercise...

Re: regex TEXT

tb582 — Tue, 10 Apr 2012 02:30:34 GMT

Great Thanks, but I seem to be returning a huge line as theres a bunch of tags such as TEXTTEXTTEXT how do I limit it only to the text between the tags that I'm looking for? my search is "" | regex ...

Re: regex TEXT

Ayn — Tue, 10 Apr 2012 06:04:54 GMT

| table title_text

Re: regex TEXT

tb5821 — Tue, 10 Apr 2012 12:42:41 GMT

its still giving me the entire line and not just whats between the tags.

Re: regex TEXT

Ayn — Tue, 10 Apr 2012 12:57:57 GMT

Do you have multiple <title> tags for some weird reason? In that case, you will want to make the regex match non-greedy:

| rex "<title>(?<title_text>.*?)</title>"

Re: regex TEXT

tb5821 — Tue, 10 Apr 2012 14:12:27 GMT

No, there's only one set of title tags but its all contained within one long line that has other tags.

Re: regex TEXT

Ayn — Tue, 10 Apr 2012 14:20:44 GMT

And you applied the table command I wrote at the end of your search?

Re: regex TEXT

tb5821 — Tue, 10 Apr 2012 14:28:12 GMT

Yes, and in the table I get the entire line...

MytitletestA doctor.My copyTV-MAmy owner

Re: regex TEXT

cphair — Tue, 10 Apr 2012 21:09:11 GMT

I tried dwaddle's solution on my data and it worked fine. You are piping to rex, and not regex as you say in your title and first comment, correct? No newlines in your data? Does it make a difference if you specify field= to rex?

Re: regex TEXT

tb582 — Wed, 11 Apr 2012 02:10:35 GMT

Correct, I'm using rex not sure what you mean by field= since its just a string and not an actual extracted field

Re: regex TEXT

Ayn — Wed, 11 Apr 2012 05:31:54 GMT

As both cphair and me have tried these suggestions ourselves with the expected results I think it would be a good idea for you to paste a sample event. With the rex and table commands at the end, you really should be seeing only what's between the title opening and closing tags.

Re: regex TEXT

tb5821 — Wed, 11 Apr 2012 12:59:44 GMT

index=myindex sourcetype=my-app host=04* OR host=050 Status_type="ERROR" NOT "The remote server returned an error: (401) Unauthorized." | join type=left task_id [search iindex=myindex sourcetype=my-app host=04* OR host=050 "<title>" OR "<owner>" rex "<title>(?<title_text>.*)</title>" | rex "<owner>(?<owner_text>.*)</owner>" | rename id AS "Asset" | fields "Asset" task_id owner_text title_text]

Re: regex TEXT

cphair — Wed, 11 Apr 2012 13:09:21 GMT

Not sure if the forum mangled your syntax, but you're missing a pipe character between OR "" and the first rex. Also, wouldn't a where command work better than a join on a subsearch? Something like "where NOT like(status_type, "(401) Unauthorized".

Re: regex TEXT

tb5821 — Wed, 11 Apr 2012 13:20:22 GMT

sorry, that pipe should of been included in the post.

Not sure if a where would be better, I'm new to splunk 🙂

Re: regex TEXT

Ayn — Wed, 11 Apr 2012 13:29:24 GMT

So where's the | table command that you reportedly were using?

Re: regex TEXT

cphair — Mon, 28 Sep 2020 11:39:51 GMT

It may be the join that's messing you up. Try it without the subsearch:



index=myindex sourcetype=my-app host=04 OR host=050 Status_type="ERROR" NOT "The remote server returned an error: (401) Unauthorized." | rex "(?<title_text>.)" | rex "(?.)" | rename id AS "Asset" | table "Asset" task_id owner_text title_text

Since you're doing a left join anyway, you're keeping all the results from the original search, so you don't have to do another search over the same data cut.

Re: regex TEXT

tb5821 — Mon, 28 Sep 2020 11:39:53 GMT

I took it out to see if it made a difference... it would look like so at the very end ... | table task_id owner_text title_text

Re: regex TEXT

Ayn — Wed, 11 Apr 2012 14:06:55 GMT

Well it's not going to do much good within a subsearch. You need to add it to your main search.