https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166033#M47255 <P>Hi,</P> <P>Hope someone can help me with creating a regular expression for an extraction. I have a log file and the lines don't all have the same amount of information,but the information after the last comma always relates to the same field. I need to create a regular expression to associate anything after the last comma with an event type. When I try to do this without writing the regular expression it does not work for all lines. </P> <P>Hope someone can help, let me know if you need more information.</P> <P>here is a sample line:</P> <PRE><CODE>"WBS","20150617131035-any-96095",701,0,"20150617171035Z","10.183.56.173",3,0,"","http://10.183.56.173:10021/mmsc/direct","","M-default","P-default",8799,3367,27,0,0,0,0,0,116,"",0,"",0,"","text/plain","iPhoneOS/8.3 (12F70)",200 </CODE></PRE> <P>So i would want to grab the "200" in this line but it's not always 200.</P> <P>Thanks,<BR /> Mike</P> Wed, 17 Jun 2015 16:32:56 GMT mikehage 2015-06-17T16:32:56Z https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166033#M47255 <P>Hi,</P> <P>Hope someone can help me with creating a regular expression for an extraction. I have a log file and the lines don't all have the same amount of information,but the information after the last comma always relates to the same field. I need to create a regular expression to associate anything after the last comma with an event type. When I try to do this without writing the regular expression it does not work for all lines. </P> <P>Hope someone can help, let me know if you need more information.</P> <P>here is a sample line:</P> <PRE><CODE>"WBS","20150617131035-any-96095",701,0,"20150617171035Z","10.183.56.173",3,0,"","http://10.183.56.173:10021/mmsc/direct","","M-default","P-default",8799,3367,27,0,0,0,0,0,116,"",0,"",0,"","text/plain","iPhoneOS/8.3 (12F70)",200 </CODE></PRE> <P>So i would want to grab the "200" in this line but it's not always 200.</P> <P>Thanks,<BR /> Mike</P> Wed, 17 Jun 2015 16:32:56 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166033#M47255 mikehage 2015-06-17T16:32:56Z https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166034#M47256 <P>A sample of your data would be useful, this will probably get you started.</P> <PRE><CODE>.. | rex ",(?P&lt;field&gt;[^,]*?)$" | ... </CODE></PRE> Wed, 17 Jun 2015 16:47:35 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166034#M47256 richgalloway 2015-06-17T16:47:35Z https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166035#M47257 <P>here is a sample line:</P> <P>"WBS","20150617131035-any-96095",701,0,"20150617171035Z","10.183.56.173",3,0,"","<A href="http://10.183.56.173:10021/mmsc/direct%22,%22%22,%22M-default%22,%22P-default%22,8799,3367,27,0,0,0,0,0,116,%22%22,0,%22%22,0,%22%22,%22text/plain%22,%22iPhoneOS/8.3">http://10.183.56.173:10021/mmsc/direct","","M-default","P-default",8799,3367,27,0,0,0,0,0,116,"",0,"",0,"","text/plain","iPhoneOS/8.3</A> (12F70)",200</P> <P>So i would want to grab the "200" in this line but it's not always 200.</P> Wed, 17 Jun 2015 17:11:44 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166035#M47257 mikehage 2015-06-17T17:11:44Z https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166036#M47258 <P>The regex string in my answer should do it.</P> Wed, 17 Jun 2015 17:19:56 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166036#M47258 richgalloway 2015-06-17T17:19:56Z https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166037#M47259 <PRE><CODE>... | rex ",(?&lt;status&gt;\d+)$" </CODE></PRE> Wed, 17 Jun 2015 17:20:23 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166037#M47259 aljohnson_splun 2015-06-17T17:20:23Z https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166038#M47260 <P>If the last field is non-numeric, you will miss it. richgalloway above gave a nice, simple solution, i.e. match all non-comma characters up to the last comma in the line.</P> Mon, 23 Apr 2018 23:31:03 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166038#M47260 tcottreau 2018-04-23T23:31:03Z https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166039#M47261 <P>Like this:</P> <PRE><CODE>... | rex ",(?&lt;status&gt;[^,]*)$" </CODE></PRE> Tue, 24 Apr 2018 00:00:11 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-creating-a-regex-to-grab-anything-after-last-comma/m-p/166039#M47261 woodcock 2018-04-24T00:00:11Z