topic Re: How to modify my regular expression to extract strings between two pipes? in Splunk Search

How to modify my regular expression to extract strings between two pipes?

maximusdm — Tue, 31 Jan 2017 16:35:19 GMT

hello, I need to extract the strings between both pipes " | | ", for instance, here are a few sample strings:
(sometimes we have a pipe: " I " and sometimes we have a uppercase letter " i" )

ASDSAD ASDASD ASDAS | STRING001 | ASDA ASDASD ASDASDADADA
ASDSAD ASDASD ASDAS I STRING002 I ASDA ASDASD ASDASDADADA

My regular expression works 90% of time:

| rex field="Site Section" ".*\|\s*(?<SiteSection>.*)\s*\|"   
| rex field="Site Section" ".*\I\s*(?<SiteSection>.*)\s*\I"  
| rex field="Site Section" ".*\I\s*(?<SiteSection>.*)\s*\|" 
| rex field="Site Section" ".*\|\s*(?<SiteSection>.*)\s*\I"

However it does not work for the strings below:
ASDASD ASDASDASDA ADASDADAD I AMC I IFC <=== returns empty
(most likely because of "IFC" string contains a uppercase letter "i")

ASDASD ASDASDASDA ADASDADAD I DISCO I ADASDA <== returns "ISCO"
(most likely because of "IFC" string contains a uppercase letter "i")

Any ideas how to modify my regular expression?
Thanks

Re: How to modify my regular expression to extract strings between two pipes?

somesoni2 — Tue, 31 Jan 2017 17:15:35 GMT

Give this a try

Updated

your base search | rex field="Site Section" "\s(\||I)\s+(?<SiteSection>.+)\s+(\||I)\s"

Re: How to modify my regular expression to extract strings between two pipes?

maximusdm — Tue, 31 Jan 2017 17:44:27 GMT

it is a lot better but still if I have a letter uppercase " i " after the second pipe " | " then it doesnt work properly. Thanks

Re: How to modify my regular expression to extract strings between two pipes?

somesoni2 — Tue, 31 Jan 2017 18:22:58 GMT

A sample log where it's failing?

Re: How to modify my regular expression to extract strings between two pipes?

maximusdm — Tue, 31 Jan 2017 19:22:48 GMT

if you have a string such as: ABCDE I AAA I IFC the results will be "AAA I" and not "AAA" as it should be.

Re: How to modify my regular expression to extract strings between two pipes?

somesoni2 — Tue, 31 Jan 2017 19:39:05 GMT

The value/string that you want to capture, will it always be a single word or can be multiple words?
Try the updated answer as well.

Re: How to modify my regular expression to extract strings between two pipes?

maximusdm — Tue, 31 Jan 2017 22:43:09 GMT

with your update I only had one string which failed and it is because there is no space between the pipe "|" and the letter "i", for instance:
AASSDDF DFGJKJ | A&E |FYI will return nothing.

PS: strings with 2 words between the pipes work just fine!

Re: How to modify my regular expression to extract strings between two pipes?

somesoni2 — Tue, 31 Jan 2017 22:47:21 GMT

How about this?

your base search | rex field="Site Section" "\s(\||I)\s+(?<SiteSection>.+)\s+(\||I\s)"

Re: How to modify my regular expression to extract strings between two pipes?

maximusdm — Tue, 31 Jan 2017 23:37:31 GMT

now it fails when there are no spaces between the first pipe LOL
for instance:
ASDF ASDF| A&E |FYI or
ASDF ASDF |A&E |FYI

Re: How to modify my regular expression to extract strings between two pipes?

gokadroid — Tue, 31 Jan 2017 23:56:34 GMT

If still required, can you check this one which shall work in most of the cases:

your query to return events
| rex field=_raw"\s*(\s*\|\s*(?<captureMe>[^\|]+)\|\s*)"
| table captureMe

See extraction here

Re: How to modify my regular expression to extract strings between two pipes?

maximusdm — Thu, 02 Feb 2017 21:55:25 GMT

This resolved my problem by replacing the " i " with pipes before the next reg.exp.

| rex field="Site Section" mode=sed "s,\sI\s, | ,g"
| rex field="Site Section" ".|\s(?.)\s|"

I want to thank you for pointing me to the right direction.