Getting Data In

Regex to extract field: data inside a a parenthesis

jaimelopez
Explorer

Hello,
I would like to extract data from inside a parenthesis to create a new field
This command for a search works well:
rex field=user_description "((?[^)]*)"

But when a try to configure this inside a query of a dashboard it does not work i guess because some incomptability with xml

The alternative is to extract field in the sourcetype but I am not able to obtain regular expression

Could anyone provide the regex code

Example of the data:

{"userid": 1, "action": "development (project)", "user_description": " Michael Jordan (adm-Jordan)"}

And I would like to obtain: adm-Jordan

Please take into account that other fields can contain information between parenthesis but in my case I would like to obtain data inside parenthesis when first coincidence after user_description appears

Many thanks a lot

0 Karma
1 Solution

vnravikumar
Champion

Hi

Check this

| makeresults 
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}" 
| spath path=user_description output=user_description 
| rex field=user_description "\((?P<result>[^)]+)"

View solution in original post

0 Karma

vnravikumar
Champion

Hi

Check this

| makeresults 
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}" 
| spath path=user_description output=user_description 
| rex field=user_description "\((?P<result>[^)]+)"
0 Karma

jaimelopez
Explorer

Hi @vnravikumar ,
The thing is that I need this search to be included in a dashboard and when I write it in the code
I have this error "Unexpected close tags" and it is a problem of the line of rex

The data has to be shown in a dashboard, not simple search.

Yu know what could be the problem?

Thanks
Jaime

0 Karma

vnravikumar
Champion

Is it possible to post your XML?

0 Karma

jaimelopez
Explorer

Hi @vnravikumar
Yes, here you have

<form>
  <label></label>
  <fieldset submitButton="false">
    <input type="time" token="time_picker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Test</title>
        <search>
          <query>
| makeresults 
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}" 
| spath path=user_description output=user_description 
| rex field=user_description "\((?P<result>[^)]+)"
| table _time user_description result
          </query>
          <earliest>$time_picker.earliest$</earliest>
          <latest>$time_picker.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

What I checked it should be something regarding rex command
Regards,

0 Karma

vnravikumar
Champion

Hi

Try like

 | rex field=user_description "\((?P&lt;result&gt;[^)]+)"
0 Karma

jaimelopez
Explorer

it works @vnravikumar
lots of thanks 🙂

0 Karma

vnravikumar
Champion

Please accept my answer

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}"
| spath
| rex field=user_description "\((?<description>.*)\)"

spath is useful.

jaimesplunk88
New Member

Hi to4kawa,

This is not what i want.

The spath command extracts field and value pairs on structured event data, such as XML and JSON.
What I want to extract is only the data inside the parenthesis related to user_description field

Thanks.

0 Karma

to4kawa
Ultra Champion

I see, my answer is updated.

0 Karma

jaimelopez
Explorer

Hi @to4kawa ,
The thing is that I need this search to be included in a dashboard and when I write it in the code
I have this error "Unexpected close tags" and it is a problem of the line of rex

The data has to be shown in a dashboard, not simple search.

Yu know what could be the problem?

Thanks
Jaime

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...