Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Field Extraction. Excluding a single word.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I wolud like make a extraction using the field extractor app. My question is how to exclude a single word of the extraction since it has variable word length (between 2 and 3 words).
This is my comand:
(?i)RESULT: (?\w*\s*\w*\s*\w*)
If the extractor finds the word "MIN" in the third word place, I don't want to extract it and keep it with the first two words.
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
Here is a simple (2 events). It's a multiline event data. What I 'm looking for is to extract the sentence after the word "RESULT: ". The sentence can have 2 or three words.
MACUL ALT103 SEP14 00:02:28 5971 FAIL ALT
MAIP 02 0 04 01 DN 229525843 1st CYCLE
LIT TESTS= R-G T-G FEMF RESULT: RING DC FEMF
MAX 2 VOLTS ACT 8 VOLTS
MACUL ALT104 SEP14 00:38:56 0576 FAIL ALT
GOBE 00 0 11 20 DN 229444877 1st CYCLE
LIT TESTS= R-G T-G FEMF RESULT: TIP LEAKAGE
MIN 40000 OHMS ACT 000 OHMS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot for your answers! It helped me to solve the issue. And as posted, the form removed the back slashes (and also less-than and greater-than signs).
What I have done is the following regex:
(?m)RESULT: (?P"less-than sign"FIELD_NAME"greater-than sign".+?)$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, you could try a regex that looks for either spaces followed by a number or MIN as the end, outside the capture group, like this maybe:
RESULT: (.*)(\s+MIN|\s+\d)
If that doesn't work, you could pipe it to an eval statement that uses the rtrim function to remove MIN, then eval with rtrim again to remove the last space.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The form removed the back slashes before the s and d, above...you'll need those
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
Here is a simple (2 events). It's a multiline event data. What I 'm looking for is to extract the sentence after the word "RESULT: ". The sentence can have 2 or three words.
MACUL ALT103 SEP14 00:02:28 5971 FAIL ALT
MAIP 02 0 04 01 DN 229525843 1st CYCLE
LIT TESTS= R-G T-G FEMF RESULT: RING DC FEMF
MAX 2 VOLTS ACT 8 VOLTS
MACUL ALT104 SEP14 00:38:56 0576 FAIL ALT
GOBE 00 0 11 20 DN 229444877 1st CYCLE
LIT TESTS= R-G T-G FEMF RESULT: TIP LEAKAGE
MIN 40000 OHMS ACT 000 OHMS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this
Your base search | rex "(?i)RESULT:(?.*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post a sample of the event data?
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
