Solved: Can you help me build a regex that can extract a f...

jip31 · ‎11-19-2018

Hello

I want to extract the field below from my event

ABDM-TOUPDATE.$w$

could you help me please?

inventsekar · ‎11-19-2018

Pls check this run-anywhere example -
(please provide some logs and more details, so that exact rex query can be written -)

| makeresults 
| eval _raw = "something something ABDM-TOUPDATE.5w2 something something"
| rex field=_raw "(?P<rexHELP>ABDM-TOUPDATE\.\d\w\d)"
| table _raw rexHELP

View solution in original post

inventsekar · ‎11-19-2018

Pls check this run-anywhere example -
(please provide some logs and more details, so that exact rex query can be written -)

| makeresults 
| eval _raw = "something something ABDM-TOUPDATE.5w2 something something"
| rex field=_raw "(?P<rexHELP>ABDM-TOUPDATE\.\d\w\d)"
| table _raw rexHELP

493669 · ‎11-19-2018

could you please share what needs to be extracted and whats your raw event?

jip31 · ‎11-19-2018

I cant sent the raw event because confidentiality
in my event, i just want to extract this: ABDM-TOUPDATE.$w$

FrankVl · ‎11-19-2018

Just that literal string? Or are those $ signs placeholders of something?

And what do you want to extract it from and where do you want to extract it into?

Simple example extracting from _raw into field1: | rex field=_raw "(?<field1>ABDM-TOUPDATE\.\$w\$)"

Can you help me build a regex that can extract a field from the following event?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!