All Apps and Add-ons

Trying to extract some value only particular string but it is also giving the unmatched string based on the path of the string...

nareshchenchati
Explorer

Trying to extract some value only particular string but it is also giving the unmatched string based on the path of the string...

I want to extract only this validation string but not () valus which is there in the second event..

[2/26/19 03:22:29:506 CEST] 0000001f monitor O 2019-06-26 14:22:29,506 [newstp - validation - NEW]

[2/26/19 03:28:17:829 CEST] 00000023 monitor O INFO 2019-06-26 14:28:17.829 activity;

Here is the Regex which I'm using :^(?:[^ \n]* ){10}(?P[^ ]+)

Please help me to extract only validation string, not the empty string..

0 Karma
1 Solution

memarshall63
Communicator

Here's a string that will get you the value of the validation string:

\[newstp\s-\svalidation\s-\s(?P<fld>.+)\]

This just looks for the string "[newstp - validation - and captures the next word before the ],
-or, did you mean it's giving you the () and you always want the bits in between the []'s?

.*\[(?P<fld>.+)\]

This looks for the square brackets and captues what's between them.

I used 'fld' as the field name where you should find the captured bits.

Hope that helps.

View solution in original post

0 Karma

memarshall63
Communicator

Here's a string that will get you the value of the validation string:

\[newstp\s-\svalidation\s-\s(?P<fld>.+)\]

This just looks for the string "[newstp - validation - and captures the next word before the ],
-or, did you mean it's giving you the () and you always want the bits in between the []'s?

.*\[(?P<fld>.+)\]

This looks for the square brackets and captues what's between them.

I used 'fld' as the field name where you should find the captured bits.

Hope that helps.

0 Karma

nareshchenchati
Explorer

Thanks for the reply.. I'm unable to get the output.. it says "Regex: missing terminating" while testing...

0 Karma

memarshall63
Communicator

Here's my search:

source="/tmp/splunk_ingest/*" host="/tmp/splunk_ingest" index="sandbox" sourcetype="rando_file" 
| rex field=_raw "\[newstp\s-\svalidation\s-\s(?P<fld>.+)\]"
| rex field=_raw ".*\[(?P<fld2>.+)\]" 
| table _time _raw fld fld2

and my results (in CSV):

_time","_raw",fld,fld2
"2019-06-25T21:28:17.829-0400","[2/26/19 03:28:17:829 CEST] 00000023 monitor O INFO 2019-06-26 14:28:17.829 [activity] ();",,activity
"2019-06-25T21:22:29.506-0400","[2/26/19 03:22:29:506 CEST] 0000001f monitor O 2019-06-26 14:22:29,506 [newstp - validation - NEWSTP$46359]","NEWSTP$46359","newstp - validation - NEWSTP$46359"
0 Karma

memarshall63
Communicator

Can you post your search string?

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...