Knowledge Management

Regex extraction with dashes

klaudiac
Path Finder

Hi folks, 

It's been a while since i posted here, but it looks like I'm stuck a bit (again!)

I'm trying to exclude a prefix and suffix from my results, which are separated from the main string by a dash "-" . 

The issue I have that some of the words in my string also contain -'s.

e.g. "Access - My string - July - Splunk" , so the data I'd like to show as my resuls is only My string - July. 

I came up with this: 

| rex field=rule_name max_match=0 "(?<=-\s)(?<rule_name>[^-]+)(?=-)"
| rex field=rule_name mode=sed "s/^s/s/g"
| rex field=rule_name mode=sed "s/\s$//g"

But then my result shows in 2 separate lines like this:
   My string
   July

 

Any tips and hints on how to make them appear in one line? 

 

Thank you 🙂

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
(?<=-\s)(?<rule_name>[^-]+-[^-]+)(?=-)

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
(?<=-\s)(?<rule_name>[^-]+-[^-]+)(?=-)

gcusello
SplunkTrust
SplunkTrust

Hi @klaudiac,

if you want to extract the string between the first and the last dash, you could use the following regex

-(?<my_field>.*)\s+-

that you can test at https://regex101.com/r/ag9Q9b/1

If you can share more samples of your logs I could be more precise.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...