Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex to extract fields between strings

cindygibbs_08
Communicator
‎06-30-2021 08:04 PM

Hello guys I hope you are doing well,

 

It turns out I am in need of a regex that will allow me to extract a "fixed" or "static" pattern within a field that is called HEAD in a splunk search that I have... this so-called HEAD field will start with any kind of words/numbers/strings... but will always have at some point the pattern "***\|Hotel=YY-4857UU45547|" wich is three (*) followed by "\|Hotel=" and then a combination of words and numbers and this pattern with always end with a "|" .... this will may always have some other kinds of words of number after that last "|" so what i an trying to acchive is estracting only the pattern that we know to be always consistent... to show you an example this is one of the real values of that field:

| makeresults
| eval HEAD=" 487542 For Flight Toronto AV TAX VIP client UBER_LIFT_ 78547  ***\|Hotel=YY-4857UU45547| aws not equip Need end seat 1U"

and I would like a regex that will allow me to extract:

YY-4857UU45547

and put it in a new field name: RESERV_CODE

I have tried all day and all nig I will ne so thankful to any of you lovely people who can help me out tahnk you so much


 

love;
cindy

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 08:29 PM

@cindygibbs_08 

can you try this?

<your_search_goes_here>
| rex field="HEAD" "\*\*\*\\\|Hotel\=(?<RESERVE_CODE>[-\w]+)"

--

An upvote would be appreciated and Accept solution if it helps!

View solution in original post

Tags (1)
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 08:29 PM

@cindygibbs_08 

can you try this?

<your_search_goes_here>
| rex field="HEAD" "\*\*\*\\\|Hotel\=(?<RESERVE_CODE>[-\w]+)"

--

An upvote would be appreciated and Accept solution if it helps!

Tags (1)
Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-30-2021 08:37 PM

Hello @venkatasri  thank you for your help !!! Your code is great but... It does not give the RESERV_CODE until the last "|" but rather gives me the rest of the string in HEAD.. am I doing something wrong?

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 08:43 PM

@cindygibbs_08 Looks fine to me, is that same sample that you have tested? 

Can you share how the end result looks like and what was the original event?

Screenshot 2021-07-01 at 1.39.39 PM.png

Reply
Solved! Jump to solution

cindygibbs_08
Communicator
‎06-30-2021 08:47 PM

@venkatasri  hi! Yeah is the same but When I put it in splunk I get everything after the "=" basically...

 

 

 

 

0 Karma
Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-30-2021 09:15 PM

@cindygibbs_08 can you try this.

<your_search_goes_here>
| rex  field=HEAD "Hotel\=(?<RESERV_CODE>[-\w]+)\|"

--

An upvote  would be appreciated and Accept solution if it helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
Top