topic Re: How to write the regex to extract this field? in Splunk Search

How to write the regex to extract this field?

splunker9999 — Tue, 19 Jul 2016 22:36:46 GMT

Hi ,

Can someone please suggest the regex for this field extraction?

We need to extract de from below context with field as Name:

csc-3.0.1/r1_de_ *:1012

Thanks

Re: How to write the regex to extract this field?

skoelpin — Tue, 19 Jul 2016 22:53:52 GMT

Hey @splunker9999 This will work. The way I learned it was by going to regex101.com and pasting the text and writing regex to make it work

(?<=r1\_)de

Re: How to write the regex to extract this field?

splunker9999 — Tue, 19 Jul 2016 23:14:56 GMT

Hi , This doesn't works.

I used below
^[^/\n]*/\w+\d+_(?P[a-z]+)

Thanks

Re: How to write the regex to extract this field?

skoelpin — Tue, 19 Jul 2016 23:21:43 GMT

I forgot to mention that the point of regular expressions is to match patterns so if you had any other text than "r1_de" then it will not pick it up. Instead the regex should look like the one below, where it will pick up on digits and letters rather than hardcoded values

(?<=\w\_)\w{2}

Re: How to write the regex to extract this field?

sundareshr — Wed, 20 Jul 2016 01:38:03 GMT

Try this

.. | rex "_(?<Name>\w+)_" | ...

*OR*

.. | rex "_(?<Name>\w{2})_" | ...

Re: How to write the regex to extract this field?

gabriel_vasseur — Wed, 20 Jul 2016 07:23:57 GMT

It would help if you could provide many examples of the data, so that we can understand what's variable and what's always the same, as that is key to design a good regex.