All Apps and Add-ons

Field Extraction. Excluding a single word.

fvasquezchacon
Path Finder

Hi!

I wolud like make a extraction using the field extractor app. My question is how to exclude a single word of the extraction since it has variable word length (between 2 and 3 words).

This is my comand:

(?i)RESULT: (?\w*\s*\w*\s*\w*)

If the extractor finds the word "MIN" in the third word place, I don't want to extract it and keep it with the first two words.

Thanks in advance!

0 Karma
1 Solution

fvasquezchacon
Path Finder

Hi!

Here is a simple (2 events). It's a multiline event data. What I 'm looking for is to extract the sentence after the word "RESULT: ". The sentence can have 2 or three words.

MACUL      ALT103 SEP14 00:02:28 5971 FAIL ALT 
        MAIP 02 0 04 01    DN 229525843    1st CYCLE
        LIT TESTS= R-G T-G FEMF  RESULT: RING DC FEMF
        MAX      2 VOLTS  ACT      8 VOLTS

MACUL      ALT104 SEP14 00:38:56 0576 FAIL ALT 
        GOBE 00 0 11 20    DN 229444877    1st CYCLE
        LIT TESTS= R-G T-G FEMF  RESULT: TIP  LEAKAGE
        MIN    40000 OHMS   ACT      000 OHMS

View solution in original post

0 Karma

fvasquezchacon
Path Finder

Thanks a lot for your answers! It helped me to solve the issue. And as posted, the form removed the back slashes (and also less-than and greater-than signs).

What I have done is the following regex:

(?m)RESULT: (?P"less-than sign"FIELD_NAME"greater-than sign".+?)$

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

First, you could try a regex that looks for either spaces followed by a number or MIN as the end, outside the capture group, like this maybe:

RESULT: (.*)(\s+MIN|\s+\d)

If that doesn't work, you could pipe it to an eval statement that uses the rtrim function to remove MIN, then eval with rtrim again to remove the last space.

0 Karma

adauria_splunk
Splunk Employee
Splunk Employee

The form removed the back slashes before the s and d, above...you'll need those

0 Karma

fvasquezchacon
Path Finder

Hi!

Here is a simple (2 events). It's a multiline event data. What I 'm looking for is to extract the sentence after the word "RESULT: ". The sentence can have 2 or three words.

MACUL      ALT103 SEP14 00:02:28 5971 FAIL ALT 
        MAIP 02 0 04 01    DN 229525843    1st CYCLE
        LIT TESTS= R-G T-G FEMF  RESULT: RING DC FEMF
        MAX      2 VOLTS  ACT      8 VOLTS

MACUL      ALT104 SEP14 00:38:56 0576 FAIL ALT 
        GOBE 00 0 11 20    DN 229444877    1st CYCLE
        LIT TESTS= R-G T-G FEMF  RESULT: TIP  LEAKAGE
        MIN    40000 OHMS   ACT      000 OHMS
0 Karma

somesoni2
Revered Legend

How about this

Your base search | rex "(?i)RESULT:(?.*)"

0 Karma

jeremiahc4
Builder

Can you post a sample of the event data?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...