I have for example something as follows, "Request X|Y|Z" where X, Y, and Z all change each time the message is displayed. In this case I only want to review value Z. I was thinking something like the following:
rex (?<num1>\d)|(?<num2>\d)|(?<num3>\d)
, but I am not getting he results back as expected. What would be the best way to handle this?
Try this:
... | rex "(?<thing1>[^\|]+)|(?<thing2>>[^\|])|(?<thing3>>[^\|])"
regex101.com is your friend. You can put an example text value to extract, and your regular expression, into the screen and it will show you what happens.
It's not always perfect in its match with what splunk will do, but in this case it would have taught you that the |
needed to be \|
.
Try this:
... | rex "(?<thing1>[^\|]+)|(?<thing2>>[^\|])|(?<thing3>>[^\|])"
The vertical bars (|) in your events are literal, but when you use them in regex as shown, they become logical ORs. You need to escape such special characters if they are literal.
rex (?<num1>\d)\|(?<num2>\d)\|(?<num3>\d)
In fact if you are only interested in Z, you don't have to extract num1 and num2.
Would I need to add anything to account for blank space?
Yes, if your data contains blank spaces, you need to account for them.