topic Re: Regex help in Splunk Search

Regex help

DataOrg — Tue, 05 Sep 2017 09:45:42 GMT

CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: threat call workplace||ATdT|||AC1CSED
CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: workplace management||ATdT|||AC1CSED

I want only from Workflow to first pipe present " from the above text and i want to select from starting workflow and it should end in pipe symboll

Re: Regex help

niketn — Tue, 05 Sep 2017 09:54:03 GMT

@premranjithj, can you please try the following and confirm?

rex field=_raw "\|Workflow: (?<Workflow>[^\|]+)\|"

Re: Regex help

DataOrg — Tue, 05 Sep 2017 10:02:38 GMT

@niketnilay its worked. but i want from workflow name also. how to get it.

other rows doesn't have word workflow which we are looking. so if that row doesnt have word workflow. i want dont want that row to have other text . i want as empty or NA. pls help

Re: Regex help

niketn — Tue, 05 Sep 2017 10:36:56 GMT

@premranjithj, can you add samples of rows without workflow.

What is STCK? What kind of values can i have?

Or else can you confirm whether it is always the 9th pipe (|) that will have Workflow name? In that case you can use

| eval data=split(_raw,"|")
| eval workflow=mvindex(data,9)
| eval workflow=case(match(workflow,"Workflow"),workflow,"N/A")

In fact you should take care of this while ingesting the data and index it with Delimited String (Pipe Separated Value) so that all fields are already extracted during search time field discovery.

Re: Regex help

DataOrg — Tue, 05 Sep 2017 11:02:20 GMT

hi @niketnilay it will not be always be 9th pipe that will have workflow.

Re: Regex help

niketn — Tue, 05 Sep 2017 11:10:15 GMT

@premranjithj, then you would definitely need to add more samples. Even for regular expression you would need to know before or after pattern.

For using delimeter you would need to know which position/s it might be present.

So, besides above one more question: will workflow always have name Workflow in it?

Since you own the data, you will have to tell us the pattern/s of data so that we can help you with regex. Unfortunately it can not be the other way around. Hope you understand.

Re: Regex help

DataOrg — Tue, 05 Sep 2017 11:16:04 GMT

yes always workflow will have the same name and only one time its present
so we have to keep workflow as base to find

Re: Regex help

niketn — Tue, 05 Sep 2017 11:33:46 GMT

As requested can you add few samples or events without Workflow as well?

I have added an updated query to prefix "Workflow: " for workflow or set as "N/A" otherwise. Please try out and confirm.

Re: Regex help

niketn — Tue, 05 Sep 2017 11:36:43 GMT

Is following query what you need?

| rex field=_raw "\|Workflow: (?<Workflow>[^\|]+)\|"
| eval Workflow=case(searchmatch("|Workflow: "),"Workflow: ".Workflow, true(),"N/A")

Re: Regex help

DataOrg — Tue, 05 Sep 2017 11:48:22 GMT

below are the samples
DOSTART||TECH||()--()||Error while other 'sequence', set 'sink' at step 'SWIfkdslTCH ON ?'.() -- Method 'help' of answered 'O

An occurred in service 'sequence' Order failed (incifdffdsdent is on time to check()

An err occurred in service |TECH|PARs||STCK|Workflow: automated||promots|physical

Re: Regex help

DataOrg — Tue, 05 Sep 2017 13:16:29 GMT

| eval Workflow=case(searchmatch("|Workflow: "),"Workflow: ".Workflow, true(),"N/A")
this statement nt working

Re: Regex help

DalJeanis — Tue, 05 Sep 2017 14:04:38 GMT

Try this...

| rex "|(<workflow>Workflow: [^|]*)|"

Re: Regex help

niketn — Tue, 05 Sep 2017 14:37:45 GMT

I tried following run anywhere search which worked fine. I just cooked up one event without Workflow:

|  makeresults
|  eval data="CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: threat call workplace||ATdT|||AC1CSED;CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK| threat call workplace||ATdT|||AC1CSED;CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: workplace management||ATdT|||AC1CSED"
|  eval data=split(data,";")
|  mvexpand data
|  rename data as _raw
|  rex field=_raw "\|Workflow: (?<Workflow>[^\|]+)\|"
|  eval Workflow=case(searchmatch("|Workflow: "),"Workflow: ".Workflow, true(),"N/A")