Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex to extract fields between strings

cindygibbs_08
Communicator
‎06-30-2021 08:04 PM

Hello guys I hope you are doing well,

 

It turns out I am in need of a regex that will allow me to extract a "fixed" or "static" pattern within a field that is called HEAD in a splunk search that I have... this so-called HEAD field will start with any kind of words/numbers/strings... but will always have at some point the pattern "***\|Hotel=YY-4857UU45547|" wich is three (*) followed by "\|Hotel=" and then a combination of words and numbers and this pattern with always end with a "|" .... this will may always have some other kinds of words of number after that last "|" so what i an trying to acchive is estracting only the pattern that we know to be always consistent... to show you an example this is one of the real values of that field:

| makeresults
| eval HEAD=" 487542 For Flight Toronto AV TAX VIP client UBER_LIFT_ 78547  ***\|Hotel=YY-4857UU45547| aws not equip Need end seat 1U"

and I would like a regex that will allow me to extract:

YY-4857UU45547

and put it in a new field name: RESERV_CODE

I have tried all day and all nig I will ne so thankful to any of you lovely people who can help me out tahnk you so much


 

love;
cindy

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 08:29 PM

@cindygibbs_08 

can you try this?

<your_search_goes_here>
| rex field="HEAD" "\*\*\*\\\|Hotel\=(?<RESERVE_CODE>[-\w]+)"

--

An upvote would be appreciated and Accept solution if it helps!

View solution in original post

Tags (1)
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 08:29 PM

@cindygibbs_08 

can you try this?

<your_search_goes_here>
| rex field="HEAD" "\*\*\*\\\|Hotel\=(?<RESERVE_CODE>[-\w]+)"

--

An upvote would be appreciated and Accept solution if it helps!

Tags (1)
Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-30-2021 08:37 PM

Hello @venkatasri  thank you for your help !!! Your code is great but... It does not give the RESERV_CODE until the last "|" but rather gives me the rest of the string in HEAD.. am I doing something wrong?

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 08:43 PM

@cindygibbs_08 Looks fine to me, is that same sample that you have tested? 

Can you share how the end result looks like and what was the original event?

Screenshot 2021-07-01 at 1.39.39 PM.png

Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-30-2021 08:47 PM

@venkatasri  hi! Yeah is the same but When I put it in splunk I get everything after the "=" basically...

 

 

 

 

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 09:15 PM

@cindygibbs_08 can you try this.

<your_search_goes_here>
| rex  field=HEAD "Hotel\=(?<RESERV_CODE>[-\w]+)\|"

--

An upvote  would be appreciated and Accept solution if it helps!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...