topic Re: Regex to extract from start until a specific character in Splunk Search

Regex to extract from start until a specific character

Sukisen1981 — Tue, 12 Sep 2017 16:14:46 GMT

I have a test field in a CSV called description:
Completed changes are not shown as complete in channels for a while Actualstart: 2017-05-15 06:40:34
I want to extract everything from the start of the string until I encounter Actualstart.
I do not know how long the sub string before Actualstart is going to be , but I need to extract from start until Actualstart is reached.

Re: Regex to extract from start until a specific character

richgalloway — Tue, 12 Sep 2017 16:22:45 GMT

This should do it.

... | rex field=description "(?<string>.*?)Actualstart" | ...

Re: Regex to extract from start until a specific character

Sukisen1981 — Tue, 12 Sep 2017 16:36:07 GMT

I tried that before, does not work. This is very simple and I have done more complex regex but this very obvious rex returns empty values for string...

Re: Regex to extract from start until a specific character

gcusello — Tue, 12 Sep 2017 17:16:09 GMT

Hi Sukisen1981,
try something like this

your_search
| rex "^(?<string>.*)Actualstart"
| ...

Bye.
Giuseppe

Re: Regex to extract from start until a specific character

Sukisen1981 — Tue, 12 Sep 2017 18:01:20 GMT

nope Giuseppe ..doesn't work ..tried that before as well..BTW what does your rex mean? are you tying to extract FROM the description field or in general and i tied both options without luck.

Re: Regex to extract from start until a specific character

richgalloway — Tue, 12 Sep 2017 18:41:10 GMT

The regex works fine on regex101.com. Can you share a complete event and your full query? Are you sure there is a field called 'description'?

Re: Regex to extract from start until a specific character

gcusello — Wed, 13 Sep 2017 06:22:24 GMT

I tried it on regex101.com and it runs (see https://regex101.com/r/G6sRG9/1), could you share an example to test it again?
Anyway my regex says to take in "String" field all the chars from the beginning of the row until the word "Actualstart".
Bye.
Giuseppe

Re: Regex to extract from start until a specific character

Sukisen1981 — Wed, 13 Sep 2017 06:54:10 GMT

tomec error on mos order 4006, location is ok, but numberseries 24034800-4899 = 100 numbers has failed towards tomec.

Actual start: 2017-09-08 11:54:46

Business impact:

? Customers 100000 numbers is Down no Calls in or out.

here is a sample the description field. Now, the issue is not because of Actual start vs Actualstart...I had removed \s+ from description. Is it because of the space between the text and Actual Start?

Re: Regex to extract from start until a specific character

Sukisen1981 — Wed, 13 Sep 2017 06:54:23 GMT

tomec error on mos order 4006, location is ok, but numberseries 24034800-4899 = 100 numbers has failed towards tomec.

Actual start: 2017-09-08 11:54:46

Business impact:

? Customers 100000 numbers is Down no Calls in or out.

Re: Regex to extract from start until a specific character

gcusello — Wed, 13 Sep 2017 07:18:11 GMT

Hi
The problem is the multi line, try this regex:

| rex "(?ms)^(?<string>.*)\s+Actual start"

and test it at https://regex101.com/r/G6sRG9/2
Bye.
Giuseppe

Re: Regex to extract from start until a specific character

Sukisen1981 — Wed, 13 Sep 2017 07:32:15 GMT

Hi,

It works now! thanks a lot . I had forgotten although in splunk it looks like there are no gaps, the description field is indeed multi lined.

Many thanks once again , I am accepting the answer