Re: How to create a field with more complicated va...

gilbxrtx_7 · ‎04-23-2018

I want to extract the text in square brackets to create it as a field. However like my previous problem I had the field extraction error.

I am new to regular expressions and am not sure on how it is done, would appreciate any help to help me with the regex for this. Thank you.

Sample of the texts to be used for extraction:
<37>1 2018-04-12T02:46:13Z ET0021B747DAEC auth 0 [event101@641 SessionId="34.uUnn74R4Z7DGp" Auth_Method="Username" Username="deleteUser" UniqueUserId="a995a58e-b44f-4ebc-a7f8-f208bb46a692" Fullname="deleteUser"] Updated group selections for user: 'deleteUser'

<37>1 2018-04-16T06:03:24Z ET0021B747DAEC settings 0 [event240@641 SessionId="6hbDLUPiY5KfoYaV" SettingName="" Setting_Old_Value="0" Setting_New_Value="1"] changed id 25464

<37>1 2018-04-16T06:23:25Z ET0021B747DAEC auth 0 [event243@641 SessionId="U3Ur2rt.7LbzBYHh"] Session has logged out due to timeout.

<37>1 2018-04-16T05:47:23Z ET0021B747DAEC jobmanager 0 [event233@641 JobId="9" Job_Type="DataStreamWorkflow"] Job Cancelled:

Regardless of the length of the text in square bracket, I would want them to be able to be added as a field.

Shan · ‎04-24-2018

Hai ,

Use the below regex syntax.

you will exactly get the data in square bracket. I have tested with above sample data provided by you.

[[a-zA-Z0-9@="-._\s\]*

Shan · ‎04-24-2018

@gilbxrtx_7 - You have multiple correct answers. Kindly test it. Accept the answer and close the question..

woodcock · ‎04-23-2018

Like this:

... | rex "\[(?<bracket_stuff>[^\]]+)"

gilbxrtx_7 · ‎04-23-2018

thanks for your suggestion, but when I copied and pasted it into regex101.com it stated that the regex got error. I prefer a regex that is meant to be created and stay permanent since I am creating a field, not to search in the search bar
when I copied and paste into search bar I dont see any highlighted text either
@woodcock

woodcock · ‎04-24-2018

You tested it wrong; see here:

https://regex101.com/r/npR95w/1

You can save this as a permanent KO by going to Settings -> Fields -> Field extractions -> New.

richgalloway · ‎04-23-2018

Regular expressions aren't that hard, once you get used to them. A good site for experimenting with regexes is regex101.com.

This one should work for your sample data. It looks for a left bracket then takes everything that is not a right bracket and puts it into a field called "squareText". Of course, you can call the field anything you like.

"\[(?<squareText>[^\]]*)\]"

---
If this reply helps you, Karma would be appreciated.

gilbxrtx_7 · ‎04-23-2018

I copied and pasted your suggested regex into regex101.com but it says the following error: incomplete group structure with the (?...) parentheses and question mark. Also I would want the regex that is used for creating fields, not to be entered in search bar
When i copied and pasted into search bar I dont see any highlighted text with the square brackets either
@richgalloway

gilbxrtx_7 · ‎04-23-2018

@richgalloway I added a letter 'P' right after the question mark and it worked, however it only highlighted the first sample text and did not for the subsequent texts

woodcock · ‎04-23-2018

Beat me by 1 minute but I like mine better!

How to create a field with more complicated values to be extracted?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms