topic Re: Why is my rex command not extracting the field from my data? in Splunk Search

Why is my rex command not extracting the field from my data?

Laya123 — Wed, 29 Jul 2015 09:10:52 GMT

Hi,

My rex is not giving any results. I want to extract "XXX" from the below highlighted area. I used

rex field=_raw "\"CommO\" type=\"string\"\>\<\!\[CDATA\[(?<Owner>.*)\] - "

but not giving any results.

name="activationtype" type="string"><![CDATA[Activate]]></Property><Property name="Label" type="string"><![CDATA[r315107961a]]></Property><Property name="Description" type="string"><![CDATA[315107961 Verbreitung der Altersvorsorge 2015]]></Property><Property name="CommO" type="string"><![CDATA[XXX]]></Property><Property name="CommissioningCountry" type="string"><![CDATA[DEU--Germany]]></Property><Property name="groupname" type="string"><![CDATA[]]></Property><Property name="cluster" type="string"><![CDATA[Slo-V]]></Property><Property name="clientid"

Thanks in advance

Re: Why is my rex command not extracting the field from my data?

somesoni2 — Wed, 29 Jul 2015 15:14:05 GMT

Try this (used your sample data as input)

| gentimes start=-1 | eval temp="name=\"activationtype\" type=\"string\"><\!\[CDATA\[(?[^\]]*)\]"

Re: Why is my rex command not extracting the field from my data?

HattrickNZ — Wed, 29 Jul 2015 23:48:26 GMT

this any good?
https://regex101.com/r/lN5sA6/1

think this would translate into something like:
rex field="CDATA\[(?P[X]..)"

Re: Why is my rex command not extracting the field from my data?

MuS — Thu, 30 Jul 2015 01:21:56 GMT

Hi Laya123,

you got it almost correct 😉 Just remove the trailing - and add a ? and it's good....like this:

... | rex field=_raw "\"CommO\" type=\"string\"\>\<\!\[CDATA\[(?<Owner>.*?)\]" | ...

cheers, MuS

Re: Why is my rex command not extracting the field from my data?

krishnacasso — Thu, 30 Jul 2015 01:37:00 GMT

The term CDATA comes from the SGML world, which is the complex predecessor of XML. The term is short for Character Data and means that the data contains of characters, and should not be parsed. Tags, entities, attributes, processing instructions inside CDATA are treated as text, not as XML elements.

Re: Why is my rex command not extracting the field from my data?

Laya123 — Thu, 30 Jul 2015 09:03:57 GMT

Thank you so much. Its working

Re: Why is my rex command not extracting the field from my data?

Laya123 — Thu, 30 Jul 2015 09:15:26 GMT

Can you explain me. why we have to use '?'

Thank you in advance

Re: Why is my rex command not extracting the field from my data?

aholzel — Thu, 30 Jul 2015 09:58:34 GMT

+1 for using [^\]] this is way more efficient than .*?

Re: Why is my rex command not extracting the field from my data?

aholzel — Thu, 30 Jul 2015 10:01:41 GMT

the ? makes the regex non greedy but it is better to use the solution posted below by @somesoni2 that is more efficient. it takes less steps to find the match, it the data between the CDATA brackets gets longer the impact on the searchhead of the solution below is less than this solution.

Re: Why is my rex command not extracting the field from my data?

MuS — Thu, 30 Jul 2015 22:03:21 GMT

You're right this would be better, if it would work. This is more likely to work:

| gentimes start=-1 | eval temp="name=\"activationtype\" type=\"string\"><![CDATA[Activate]]></Property><Property name=\"Label\" type=\"string\"><![CDATA[r315107961a]]></Property><Property name=\"Description\" type=\"string\"><![CDATA[315107961 Verbreitung der Altersvorsorge 2015]]></Property><Property name=\"CommO\" type=\"string\"><![CDATA[XXX]]></Property><Property name=\"CommissioningCountry\" type=\"string\"><![CDATA[DEU--Germany]]></Property><Property name=\"groupname\" type=\"string\"><![CDATA[]]></Property><Property name=\"cluster\" type=\"string\"><![CDATA[Slo-V]]></Property><Property name=\"clientid\"" | rex field=temp "\"CommO\" type=\"string\"><\!\[CDATA\[(?<Owner>[^\]]*)\]"