Getting Data In

Regex to extract field: data inside a a parenthesis

jaimelopez
Explorer

Hello,
I would like to extract data from inside a parenthesis to create a new field
This command for a search works well:
rex field=user_description "((?[^)]*)"

But when a try to configure this inside a query of a dashboard it does not work i guess because some incomptability with xml

The alternative is to extract field in the sourcetype but I am not able to obtain regular expression

Could anyone provide the regex code

Example of the data:

{"userid": 1, "action": "development (project)", "user_description": " Michael Jordan (adm-Jordan)"}

And I would like to obtain: adm-Jordan

Please take into account that other fields can contain information between parenthesis but in my case I would like to obtain data inside parenthesis when first coincidence after user_description appears

Many thanks a lot

0 Karma
1 Solution

vnravikumar
Champion

Hi

Check this

| makeresults 
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}" 
| spath path=user_description output=user_description 
| rex field=user_description "\((?P<result>[^)]+)"

View solution in original post

0 Karma

vnravikumar
Champion

Hi

Check this

| makeresults 
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}" 
| spath path=user_description output=user_description 
| rex field=user_description "\((?P<result>[^)]+)"

View solution in original post

0 Karma

jaimelopez
Explorer

Hi @vnravikumar ,
The thing is that I need this search to be included in a dashboard and when I write it in the code
I have this error "Unexpected close tags" and it is a problem of the line of rex

The data has to be shown in a dashboard, not simple search.

Yu know what could be the problem?

Thanks
Jaime

0 Karma

vnravikumar
Champion

Is it possible to post your XML?

0 Karma

jaimelopez
Explorer

Hi @vnravikumar
Yes, here you have

<form>
  <label></label>
  <fieldset submitButton="false">
    <input type="time" token="time_picker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Test</title>
        <search>
          <query>
| makeresults 
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}" 
| spath path=user_description output=user_description 
| rex field=user_description "\((?P<result>[^)]+)"
| table _time user_description result
          </query>
          <earliest>$time_picker.earliest$</earliest>
          <latest>$time_picker.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

What I checked it should be something regarding rex command
Regards,

0 Karma

vnravikumar
Champion

Hi

Try like

 | rex field=user_description "\((?P&lt;result&gt;[^)]+)"
0 Karma

jaimelopez
Explorer

it works @vnravikumar
lots of thanks 🙂

0 Karma

vnravikumar
Champion

Please accept my answer

0 Karma

to4kawa
SplunkTrust
SplunkTrust
| makeresults
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}"
| spath
| rex field=user_description "\((?<description>.*)\)"

spath is useful.

jaimesplunk88
New Member

Hi to4kawa,

This is not what i want.

The spath command extracts field and value pairs on structured event data, such as XML and JSON.
What I want to extract is only the data inside the parenthesis related to user_description field

Thanks.

0 Karma

to4kawa
SplunkTrust
SplunkTrust

I see, my answer is updated.

0 Karma

jaimelopez
Explorer

Hi @to4kawa ,
The thing is that I need this search to be included in a dashboard and when I write it in the code
I have this error "Unexpected close tags" and it is a problem of the line of rex

The data has to be shown in a dashboard, not simple search.

Yu know what could be the problem?

Thanks
Jaime

0 Karma