Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex question/request

Mike6960
Path Finder
‎09-20-2019 06:13 AM

Is it possible to use regex to extract values in events that always end with .PDF ? I have got a chain of events, somewhere in this process a PDF doucment is generated, So the name of the PDF is not in all the events.

0 Karma
Reply

dmarling
Builder
‎09-30-2019 09:01 AM

Based on the example you provided in the question comments, this should return the data you are looking for:

| rex "(?<PDFFileName>\S+)\.[Pp][Dd][Ff]"

Here's the regex101 link showing it function on your example: https://regex101.com/r/OyLl8z/1

If this comment/answer was helpful, please up vote it. Thank you.
0 Karma
Reply

jpolvino
Builder
‎09-20-2019 10:17 AM

Sounds like you're saying that you're looking for all events related to one that eventually generates a PDF? If so then is there a unique identifier that ties them all together? I'm asking because you could use a subsearch to gather all unique identifiers from those "PDF" events, and then use those identifiers later in your search to find relates events.

Posting a sample list of events will help.

0 Karma
Reply

somesoni2
Revered Legend
‎09-20-2019 06:52 AM

YOu should be able to use following regex (assuming that youru PDF file name contains alphanueric characters only)

your base search | rex "(?<PDFFileName>[A-z0-9_]+\.(pdf|PDF))"

Again, for better solution, please provide sample data and highlight the portion you want to extract.

Reply

Mike6960
Path Finder
‎09-30-2019 04:23 AM

Thanks, almost what I need, due to the lack of me supplying an example not quite everything I need.

this is a fragment of the events:

: Get file ABC_6_2019-09-30_VK-161.2285507.pdf from /opt/mulesoft/

I would like to extract the values: ABC_6_2019-09-30_VK-161.2285507.pdf
It always ends with .PDF but the first part can differ, in my example it starts with ABC but this can also be ZZ for example

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-20-2019 06:49 AM

Please share some sample data and what you want extracted from it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Mike6960
Path Finder
‎09-30-2019 04:21 AM

this is a fragment of the events:

: Get file ABC_6_2019-09-30_VK-161.2285507.pdf from /opt/mulesoft/

I would like to extract the values: ABC_6_2019-09-30_VK-161.2285507.pdf
It always ends with .PDF but the first part can differ, in my example it starts with ABC but this can also be ZZ for example

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...