I have a field that already exists, and I want to parse it out into a new field, using props/transforms. The field is surrounded in brackets, so it's in this format:
<COMPID> these are some values </COMPID>
The entired feed is bracket enclosed (but not xml). I've never done this before, and the regex is killing me as well. Can anyone help?
see this answer https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html
but you will use this settings in transforms.conf :
REGEX = \>([^\<]+)\< FORMAT = MyNewFieldName::$1
This will create a new field called
MyNewFieldName containing this value
these are some values.
Hope this helps ...
Sorry, getting back to this... not sure this will work, as every field is bracket <> seperated. I need something that will extract the first string within the values. It contains multiple, white space seperated values.
<COMPID>string1 string2 string3 string4</COMPID>
Sure this will work, I just did not understood it correct 😉
In this case try this regex:
REGEX = \>([^\s]+)\s
this will get
string1 from your example as value of the