Solved: How do we extract from a character "-" till the en...

royimad · ‎04-12-2013

My events look like this
Event1: blah blah - blah blah ANY CHARACTERS
(multilines could exist after the first lines and sometime my event is with a single line)
Event 2: blah blah .... - blah blah

How to extract from character "-" till the end of the first line, how to do that?.
I have tried (?-.*\n) but my second event didn't appear with single line.

royimad · ‎04-12-2013

This is the solution:

(?P-.*[\r\n]+)

View solution in original post

royimad · ‎04-12-2013

This is the solution:

(?P-.*[\r\n]+)

kristian_kolb · ‎04-12-2013

Didn't this work?

http://splunk-base.splunk.com/answers/83324/can-i-write-a-conditional-regular-expression

Questions/observations:
By ANY CHARACTER, I assume that includes dashes/hyphens as well?
Don't you want \s-\s(?<your_field>.*)$ (remember that the dollar sign is the end of the line)
Please post some real events.

/K

royimad · ‎04-12-2013

Thanks for the suggestion it is the right answer \s-\s(?.*)$ is working great

royimad · ‎04-12-2013

The extraction that you suggested is working well, Great

royimad · ‎04-12-2013

ok, This is great also
(?P-.*[\r\n]+)

How do we extract from a character "-" till the end of the line?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

How do we extract from a character "-" till the end of the line?

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey