topic Re: RegEx _raw extraction help in Splunk Search

RegEx _raw extraction help

kdb8916 — Mon, 28 Sep 2020 15:53:58 GMT

I am trying to extract info from the _raw result of my Splunk query. Currently my _raw result is:
_raw="2014-02-13 13:02:10,3,VIDEO_STREAMING,CAMERA_6,\"Video has stopped or is intermittent for camera 6='Tool Corral Rear Aisle' on encoder 192.168.2.101.\"

I would like to extract the Camera Name, which in this case is 'Tool Corral Rear Aisle', from the above _raw string.

Can anyone help?

Thanks so much!

Re: RegEx _raw extraction help

sbrant_splunk — Fri, 14 Feb 2014 19:47:22 GMT

Try this:

(?<cam_name>[^=]+)(?=\son\sencoder)

usage:

your base search | rex "(?<cam_name>[^=]+)(?=\son\sencoder)"

Re: RegEx _raw extraction help

kdb8916 — Fri, 14 Feb 2014 19:55:29 GMT

Thank you for your response.

When I run that code I am getting an error msg - Error in 'SearchParser': Missing a search command before '^'.

The total snippet that I entered in my existing query based on your input was: rex field=_raw (?[^=]+)(?=\son\sencoder)

Re: RegEx _raw extraction help

kdb8916 — Fri, 14 Feb 2014 19:57:20 GMT

That didn't seem to translate correct once I hit the post comment button ... note that I did use the slashes '\' that you suggested in your reply.

Re: RegEx _raw extraction help

sbrant_splunk — Fri, 14 Feb 2014 20:39:58 GMT

When using the Rex command, the regular expression must be in quotes.

Re: RegEx _raw extraction help

kdb8916 — Mon, 17 Feb 2014 14:08:30 GMT

Yes that would be consistent with the other Rex commands I was using ... my apologies for that oversight and I thank you both for your assistance.