Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

RegEx for splitting data

Kaushaas
Explorer
‎06-12-2024 11:20 PM

Hi All,

I have a raw message which contains Action name like below :

CommBank.Api.PricingExtractor.Controllers.EventPublishController.PublishEventsToKafkaTopics (CommBank.Api.PricingExtractor)

which I  have extracted using below regular expression 

rex field=message "ActionName\\\":\\\"(?<ActionName>[^\\\"]+)"



Is there a way to extract only last part after "." and before "("   i.e "PublishEventsToKafkaTopics" just this I tried few ways but was getting error.

Any help will be appreciated
Thanks in advance

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-12-2024 11:58 PM

You can try this

| rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)"

which will look for all package names up to the last . and then extract the class name based on \w+ rather than everything up to the final quote

If your package or class names contain chars other than \w then adjust accordingly.

View solution in original post

Reply
Solved! Jump to solution

mitcheljohns
New Member
‎06-13-2024 04:52 AM

Regular expressions (RegEx) are powerful tools for splitting data based on patterns. dish tv billing issues Use split() with a RegEx pattern to segment text into manageable components, such as dividing a string by commas or spaces. For instance, split(/[,\s]+/). Customize patterns to match specific delimiters or structures in data, ensuring accurate segmentation for tasks like parsing CSV files or extracting structured information from unformatted text.

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎06-12-2024 11:58 PM

You can try this

| rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)"

which will look for all package names up to the last . and then extract the class name based on \w+ rather than everything up to the final quote

If your package or class names contain chars other than \w then adjust accordingly.

Reply
Solved! Jump to solution

Kaushaas
Explorer
‎06-13-2024 03:31 AM

This worked thanks a lot

0 Karma
Reply
Solved! Jump to solution

Kaushaas
Explorer
‎06-13-2024 04:17 AM

@bowesmana  
Thanks for the solution 

| rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)"

this worked tried similar thing to extract name from below url using below reg ex what did I miss it didnot work i replaced . to /? If you could ecplain to it will be helpful

URL --- /api/v1/Publish   value expected ---- Publish

| rex field=message "reqPath\\\":\\\"(\w+\/)*(?<reqPath>\w+)"

Thanks a ton in advance

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎06-13-2024 06:30 PM

Try this

| rex field=message "reqPath\\\":\\\".*/(?<reqPath>\w+)"

where the .* is a greedy capture up to the final / character

0 Karma
Reply
Solved! Jump to solution

glc_slash_it
Path Finder
‎06-12-2024 11:52 PM

Hi,

try this after your rex.

 

| rex field=ActionName "\.([^\.]+)\s*\("

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...