Solved: can i select field between brackets [ XYZ - ABC - ...

royimad · ‎04-11-2013

I need to select fields from a log who are between two [ ]
Event 1: Some data... [ AAA ]
Event 2: Some data... [aa - DD ]

I need those fields
AAA
aa - DD
DD

How to do that? I'm using this regular expression (?P[^ ]+) but the extraction is incorrect it extract

[AAA

[aa
and this is wrong i don't need the first character [ and need to get all the data between [ ]

aholzer · ‎04-11-2013

Once you figure out your starting point, you can use (?P[^\]]+)

You can do something like

   \[(?P<fieldname>[^\]]+)\]

This way you will pick up everything between an open bracket ([) and a close bracket (]) as long as it's not a close bracket.

Notice that I have escaped the open bracket and two of my close bracket. This makes the regex use the escaped brackets as a character instead of trying to parse them as part of the regex.

Hope this helps

View solution in original post

aholzer · ‎04-11-2013

Once you figure out your starting point, you can use (?P[^\]]+)

You can do something like

   \[(?P<fieldname>[^\]]+)\]

This way you will pick up everything between an open bracket ([) and a close bracket (]) as long as it's not a close bracket.

Notice that I have escaped the open bracket and two of my close bracket. This makes the regex use the escaped brackets as a character instead of trying to parse them as part of the regex.

Hope this helps

jonuwz · ‎04-11-2013

Converted to answer - this is correct, and well explained : )

can i select field between brackets [ XYZ - ABC - ] using regular expression?

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!