Solved: Regex extraction with dashes

klaudiac · ‎08-20-2021

Hi folks,

It's been a while since i posted here, but it looks like I'm stuck a bit (again!)

I'm trying to exclude a prefix and suffix from my results, which are separated from the main string by a dash "-" .

The issue I have that some of the words in my string also contain -'s.

e.g. "Access - My string - July - Splunk" , so the data I'd like to show as my resuls is only My string - July.

I came up with this:

| rex field=rule_name max_match=0 "(?<=-\s)(?<rule_name>[^-]+)(?=-)"
| rex field=rule_name mode=sed "s/^s/s/g"
| rex field=rule_name mode=sed "s/\s$//g"

But then my result shows in 2 separate lines like this:
My string
July

Any tips and hints on how to make them appear in one line?

Thank you 🙂 !

ITWhisperer · ‎08-20-2021

(?<=-\s)(?<rule_name>[^-]+-[^-]+)(?=-)

View solution in original post

ITWhisperer · ‎08-20-2021

(?<=-\s)(?<rule_name>[^-]+-[^-]+)(?=-)

gcusello · ‎08-20-2021

Hi @klaudiac,

if you want to extract the string between the first and the last dash, you could use the following regex

-(?<my_field>.*)\s+-

that you can test at https://regex101.com/r/ag9Q9b/1

If you can share more samples of your logs I could be more precise.

Ciao.

Giuseppe

Regex extraction with dashes

field extraction

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor