Getting Data In

Regex to extract field: data inside a a parenthesis

jaimelopez
Explorer

Hello,
I would like to extract data from inside a parenthesis to create a new field
This command for a search works well:
rex field=user_description "((?[^)]*)"

But when a try to configure this inside a query of a dashboard it does not work i guess because some incomptability with xml

The alternative is to extract field in the sourcetype but I am not able to obtain regular expression

Could anyone provide the regex code

Example of the data:

{"userid": 1, "action": "development (project)", "user_description": " Michael Jordan (adm-Jordan)"}

And I would like to obtain: adm-Jordan

Please take into account that other fields can contain information between parenthesis but in my case I would like to obtain data inside parenthesis when first coincidence after user_description appears

Many thanks a lot

0 Karma
1 Solution

vnravikumar
Champion

Hi

Check this

| makeresults 
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}" 
| spath path=user_description output=user_description 
| rex field=user_description "\((?P<result>[^)]+)"

View solution in original post

0 Karma

vnravikumar
Champion

Hi

Check this

| makeresults 
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}" 
| spath path=user_description output=user_description 
| rex field=user_description "\((?P<result>[^)]+)"
0 Karma

jaimelopez
Explorer

Hi @vnravikumar ,
The thing is that I need this search to be included in a dashboard and when I write it in the code
I have this error "Unexpected close tags" and it is a problem of the line of rex

The data has to be shown in a dashboard, not simple search.

Yu know what could be the problem?

Thanks
Jaime

0 Karma

vnravikumar
Champion

Is it possible to post your XML?

0 Karma

jaimelopez
Explorer

Hi @vnravikumar
Yes, here you have

<form>
  <label></label>
  <fieldset submitButton="false">
    <input type="time" token="time_picker" searchWhenChanged="true">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <title>Test</title>
        <search>
          <query>
| makeresults 
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}" 
| spath path=user_description output=user_description 
| rex field=user_description "\((?P<result>[^)]+)"
| table _time user_description result
          </query>
          <earliest>$time_picker.earliest$</earliest>
          <latest>$time_picker.latest$</latest>
        </search>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

What I checked it should be something regarding rex command
Regards,

0 Karma

vnravikumar
Champion

Hi

Try like

 | rex field=user_description "\((?P&lt;result&gt;[^)]+)"
0 Karma

jaimelopez
Explorer

it works @vnravikumar
lots of thanks 🙂

0 Karma

vnravikumar
Champion

Please accept my answer

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="{\"userid\": 1, \"action\": \"development (project)\", \"user_description\": \" Michael Jordan (adm-Jordan)\"}"
| spath
| rex field=user_description "\((?<description>.*)\)"

spath is useful.

jaimesplunk88
New Member

Hi to4kawa,

This is not what i want.

The spath command extracts field and value pairs on structured event data, such as XML and JSON.
What I want to extract is only the data inside the parenthesis related to user_description field

Thanks.

0 Karma

to4kawa
Ultra Champion

I see, my answer is updated.

0 Karma

jaimelopez
Explorer

Hi @to4kawa ,
The thing is that I need this search to be included in a dashboard and when I write it in the code
I have this error "Unexpected close tags" and it is a problem of the line of rex

The data has to be shown in a dashboard, not simple search.

Yu know what could be the problem?

Thanks
Jaime

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...