Archive
Highlighted

How can we extract a text in a new field

Communicator

Hi ,
I want to extract a part of a text in a new field, and it was very difficult for me .
this is an extract of my log file. what I want to extract is IKEA.

ABC5=/DATAINTER/PROJET/kls-NFS-TDF/nil_ano/input/asd_b1m3_QS_First_Request.IKEA.4578944.201504081236.xml

I tried somyhing like this but it give not a result

source="ok.txt" host="LPO6523" |rex field=_raw  "INF1=*.(?<DIST>.*).*.*.xml"

thank you for your help

Tags (2)
0 Karma
Highlighted

Re: How can we extract a text in a new field

SplunkTrust
SplunkTrust

Hi otman01,

based on your provided example you can use something like this:

 source="ok.txt" host="LPO6523" |rex field=_raw  "\.(?<DIST>\w+)\."

This will give you a field called DIST with the value IKEA

You can train your regex skills on site like this https://regex101.com or http://regexr.com

Hope this helps ...

cheers, MuS

0 Karma
Highlighted

Re: How can we extract a text in a new field

Communicator

This is what I tried. I dont know how it changed.

source="ok.txt" host="LPO6523" |rex field=_raw "ABC5=//////.(?<DIST>.)..*.xml"

0 Karma
Highlighted

Re: How can we extract a text in a new field

Communicator

there is a star between the //

0 Karma
Highlighted

Re: How can we extract a text in a new field

SplunkTrust
SplunkTrust

This page uses the mark down coding, enter Splunk SPL in ``or use the101010` button to encode it 😉

0 Karma
Highlighted

Re: How can we extract a text in a new field

SplunkTrust
SplunkTrust

This will not work, because you have to escape the / in regex like this \/ also a * after the / will only match the / zero or multiple time (greedy match), you should use .* instead or .+

0 Karma
Highlighted

Re: How can we extract a text in a new field

Communicator

ok I will trie and if I find some result I will post a correct answer

0 Karma
Highlighted

Re: How can we extract a text in a new field

Communicator

The corret line that we have to put is

source="ok.txt" host="LPO6523" |rex field=_raw "ABC5=\/\w*\W*\/\w*\W*\/\w*\W*\w*\W*\w*\W*\w*\W*\w*\W*\w*\W*(?<DIST>.*).{20}xml"

those 2 links was very helpfull

http://blog.paumard.org/cours/java-api/chap03-expression-regulieres-syntaxe.html

https://regex101.com/

Thank you MuS

View solution in original post

0 Karma
Highlighted

Re: How can we extract a text in a new field

SplunkTrust
SplunkTrust

Sorry to say, but this is not the way you should use regex. If you're using a lot of this regex's on your search head, you will probably end in troubles.
Here is why, your regex tell Splunk to search for :

ABC5= matches the characters ABC5= literally (case sensitive)
\/ matches the character / literally
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\/ matches the character / literally
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\/ matches the character / literally
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\w* match any word character [a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
\W* match any non-word character [^a-zA-Z0-9_]
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
(?&lt;DIST&gt;.*) Named capturing group DIST
.* matches any character (except newline)
Quantifier: * Between zero and unlimited times, as many times as possible, giving back as needed [greedy]
.{20} matches any character (except newline)
Quantifier: {20} Exactly 20 times
xml matches the characters xml literally (case sensitive)

There are far more optimized regex available to get only a part of a string. Maybe you should be more specific with your use case or provide more examples.

BTW: using your regex and your provided example it matches IKEA.4

cheers, MuS

PS: Sorry to make this an answer but the regex translation part is simply too long for a comment 😉

0 Karma
Highlighted

Re: How can we extract a text in a new field

Communicator

Yes, I'm agree with you, butI found that is very difficult to make somthing that can be applicable to general case. But in my case it works perfectly whit this handling ( I used the regular expression that you send me befor 🙂 https://regex101.com/

Thank you MuS, have a nice day

0 Karma