I have the following log(s) from which I want to extract the value inside the parenthesis. The parenthesis field is preceded by 2 other values in parenthesis, and is followed by the statement "No activation date"
{2015-09-24} {465456] [N1234SYS04] No activation date and no log bytes available.
I would like to extract the value in the 3rd paranethesis (i.e. N1234SYS04) as it is a valuable ID field that is not getting parsed into a field on Splunk. I'd like to use the regex command but I'm not sure what my syntax should be (rex field = _raw(......))
Any help would be great. Thanks!
Hi aramakrishnan,
you can try this regex:
your base search here | rex field=_raw "\[(?<ID>[^\]]*)" | do further splunk fu with ID
Hope this helps ...
cheers, MuS
Hi aramakrishnan,
you can try this regex:
your base search here | rex field=_raw "\[(?<ID>[^\]]*)" | do further splunk fu with ID
Hope this helps ...
cheers, MuS
This extracts the field but the issue is that there are actually 2 other fields that are preceded by the field I want, which also have the same format i.e. [2015-09-24][465456][N1234SYS04]. Using the rex syntax you provided pulls information from the first one, but I want it from the 3rd parenthesis (i.e. I want the field to only show N1234SYS04, but currently its showing 2015-09-24). How can I specify which parenthesis I want to start the extraction from?
The original example you gave shows {} for the first, {] for the second, and [] for the third. With that data sample @Mus rex would work perfectly.
If in fact you have [] [] [] then you can modify Mus rex this way:
... | rex field=_raw "\[.*?\]\s+\[.*?\]\s+\[(?<ID>[^\]]*)" | stats count by ID
Thank you so much @wrangler2x and @Mus. That worked perfectly.
tested and working with this regex:
/opt/splunk/bin/splunk cmd pcregextest mregex="(\[[^\]]*\]){2}\[(?<ID>[^\]]*)" test_str="[2015-09-24][465456][N1234SYS04].
> "
Original Pattern: '(\[[^\]]*\]){2}\[(?<ID>[^\]]*)'
Expanded Pattern: '(\[[^\]]*\]){2}\[(?<ID>[^\]]*)'
Regex compiled successfully. Capture group count = 2. Named capturing groups = 1.
SUCCESS - match against: '[2015-09-24][465456][N1234SYS04].
'
#### Capturing group data #####
Group | Name | Value
--------------------------------------
1 | | [465456]
2 | ID | N1234SYS04
so use it like this:
your base search here | rex field=_raw "(\[[^\]]*\]){2}\[(?<ID>[^\]]*)" | ...