Dashboards & Visualizations

RegEx for splitting data

Kaushaas
Explorer

Hi All,

I have a raw message which contains Action name like below :

CommBank.Api.PricingExtractor.Controllers.EventPublishController.PublishEventsToKafkaTopics (CommBank.Api.PricingExtractor)

which I  have extracted using below regular expression 

rex field=message "ActionName\\\":\\\"(?<ActionName>[^\\\"]+)"



Is there a way to extract only last part after "." and before "("   i.e "PublishEventsToKafkaTopics" just this I tried few ways but was getting error.

Any help will be appreciated
Thanks in advance

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

You can try this

| rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)"

which will look for all package names up to the last . and then extract the class name based on \w+ rather than everything up to the final quote

If your package or class names contain chars other than \w then adjust accordingly.

View solution in original post

mitcheljohns
New Member

Regular expressions (RegEx) are powerful tools for splitting data based on patterns. dish tv billing issues Use split() with a RegEx pattern to segment text into manageable components, such as dividing a string by commas or spaces. For instance, split(/[,\s]+/). Customize patterns to match specific delimiters or structures in data, ensuring accurate segmentation for tasks like parsing CSV files or extracting structured information from unformatted text.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can try this

| rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)"

which will look for all package names up to the last . and then extract the class name based on \w+ rather than everything up to the final quote

If your package or class names contain chars other than \w then adjust accordingly.

Kaushaas
Explorer

This worked thanks a lot

0 Karma

Kaushaas
Explorer

@bowesmana  
Thanks for the solution 

| rex field=message "ActionName\\\":\\\"(\w+\.)*(?<ActionName>\w+)"

this worked tried similar thing to extract name from below url using below reg ex what did I miss it didnot work i replaced . to /? If you could ecplain to it will be helpful

URL --- /api/v1/Publish   value expected ---- Publish

| rex field=message "reqPath\\\":\\\"(\w+\/)*(?<reqPath>\w+)"

Thanks a ton in advance

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Try this

| rex field=message "reqPath\\\":\\\".*/(?<reqPath>\w+)"

where the .* is a greedy capture up to the final / character

0 Karma

glc_slash_it
Path Finder

Hi,

try this after your rex.

 

| rex field=ActionName "\.([^\.]+)\s*\("

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...