topic Re: How to create Splunk Regex to search for a field after n occurrences of comma? in Splunk Search

How to create Splunk Regex to search for a field after n occurrences of comma?

atulitm — Wed, 21 Feb 2018 11:57:52 GMT

I have been trying to create Splunk rex but it doesn't work for some reason and would need help in finding any word or string after n number of commas like

LOG:
12/11/2018, abc, def, ced, xyz

I would like to get variable stored which is after 3 commas which is ced in above case something like :

index= | rex ",{3}(?\w+) | table test

Re: How to create Splunk Regex to search for a field after n occurrences of comma?

493669 — Wed, 21 Feb 2018 12:04:10 GMT

try this:

index=indexname|rex ".*,(?<test>\w+)"

Re: How to create Splunk Regex to search for a field after n occurrences of comma?

ctaf — Wed, 21 Feb 2018 12:32:02 GMT

Hi,

You can do this:

| rex (\s,\s\w+){2}\s,\s(?<fieldname>[^\s]+)

Put {n-1} for n commas. Here it is {2} for 3 commas.

Re: How to create Splunk Regex to search for a field after n occurrences of comma?

FrankVl — Wed, 21 Feb 2018 12:35:53 GMT

Your own attempt comes close, but you of course also need to include the strings before / in between those 3 commas in the regex for it to match.

So:

index= | rex "(?:[^,]*,\s*){3}(?<test>\w+)" | table test

Which defines a non capturing group consisting of some arbitrary number of non-comma characters, followed by a comma and possible whitespace. And that group is repeated 3 times. After that, the actual capturing group to capture the string you need.
https://regex101.com/r/AUhB3o/1

Re: How to create Splunk Regex to search for a field after n occurrences of comma?

atulitm — Wed, 21 Feb 2018 12:56:05 GMT

Thanks that helps .. I have tried a lot but may be its simple for you . i would like capture anything after 3rd comma and before 4th because this query helps in getting after 3rd but string after that is having gaps so it doesnt save whole string .

Re: How to create Splunk Regex to search for a field after n occurrences of comma?

FrankVl — Wed, 21 Feb 2018 13:02:27 GMT

Just replace the \w with [^,] and perhaps you need to do something about not capturing the whitespace before the 4th comma. So try this:

index= | rex "(?:[^,]*,\s*){3}(?<test>[^,]+)\s+," | table test

https://regex101.com/r/AUhB3o/2

Re: How to create Splunk Regex to search for a field after n occurrences of comma?

atulitm — Wed, 21 Feb 2018 13:14:23 GMT

Thanks for help frank . I need to improve myself on regex .

Re: How to create Splunk Regex to search for a field after n occurrences of comma?

FrankVl — Wed, 21 Feb 2018 13:19:41 GMT

You're welcome 🙂

And yes, that is a very valuable skill to develop as a Splunk user/admin 🙂