Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

RegEx for splitting data

Kaushaas
Explorer
‎06-12-2024 11:20 PM

Hi All,

I have a raw message which contains Action name like below :

CommBank.Api.PricingExtractor.Controllers.EventPublishController.PublishEventsToKafkaTopics (CommBank.Api.PricingExtractor)

which I  have extracted using below regular expression 

rex field=message "ActionName\\\":\\\"(?<ActionName>[^\\\"]+)"



Is there a way to extract only last part after "." and before "("   i.e "PublishEventsToKafkaTopics" just this I tried few ways but was getting error.

Any help will be appreciated
Thanks in advance

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-12-2024 11:58 PM

You can try this

| rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)"

which will look for all package names up to the last . and then extract the class name based on \w+ rather than everything up to the final quote

If your package or class names contain chars other than \w then adjust accordingly.

View solution in original post

Reply
Solved! Jump to solution

mitcheljohns
New Member
‎06-13-2024 04:52 AM

Regular expressions (RegEx) are powerful tools for splitting data based on patterns. dish tv billing issues Use split() with a RegEx pattern to segment text into manageable components, such as dividing a string by commas or spaces. For instance, split(/[,\s]+/). Customize patterns to match specific delimiters or structures in data, ensuring accurate segmentation for tasks like parsing CSV files or extracting structured information from unformatted text.

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-12-2024 11:58 PM

You can try this

| rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)"

which will look for all package names up to the last . and then extract the class name based on \w+ rather than everything up to the final quote

If your package or class names contain chars other than \w then adjust accordingly.

Reply
Solved! Jump to solution

Kaushaas
Explorer
‎06-13-2024 03:31 AM

This worked thanks a lot

0 Karma
Reply
Solved! Jump to solution

Kaushaas
Explorer
‎06-13-2024 04:17 AM

@bowesmana  
Thanks for the solution 

| rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)"

this worked tried similar thing to extract name from below url using below reg ex what did I miss it didnot work i replaced . to /? If you could ecplain to it will be helpful

URL --- /api/v1/Publish   value expected ---- Publish

| rex field=message "reqPath\\\":\\\"(\w+\/)*(?<reqPath>\w+)"

Thanks a ton in advance

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-13-2024 06:30 PM

Try this

| rex field=message "reqPath\\\":\\\".*/(?<reqPath>\w+)"

where the .* is a greedy capture up to the final / character

0 Karma
Reply
Solved! Jump to solution

glc_slash_it
Path Finder
‎06-12-2024 11:52 PM

Hi,

try this after your rex.

 

| rex field=ActionName "\.([^\.]+)\s*\("

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...