Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me create a regex expression that would extract a field?

itionet
New Member
‎09-18-2018 03:39 AM

Hi All,

I'm trying to extract a field. However, the field I want to extract isn't at the same location each time. I thought I would try to do a regex on the string only without the field number.

The string I am trying to match is similar to below:
ABCS-3-ABCD_A
ABCDS-2-DFESAC
OSBFSASD-9-SDS_DSA

This is what I came up with, but it's not working:

^(?:[^[\w+]-\d-[\S+]*)(?P[^:]+)

Any help would be appreciated.

0 Karma
Reply

saurabhkharkar
Path Finder
‎12-17-2018 07:09 AM

I am guessing the string that you are trying to match always starts with '%'

| makeresults
| eval string="Sep 18 22:12:48 hostname.domain : hostname.domain %STRANG-A:FD %SESDA-9-BSCS: A bunch of text that doesn't matter."
| rex field=string ".\%(?[A-Z-0-9_]+)."
| table string extract

This should give you the string(SESDA-9-BSCS)

0 Karma
Reply

saurabhkharkar
Path Finder
‎12-17-2018 11:58 AM

Before [A-Z-0-9_] and after the ? , please add (without spaces) - surprisingly that was taken out on its own.

0 Karma
Reply

saurabhkharkar
Path Finder
‎12-17-2018 11:59 AM

add 'extract' - enclosed in <>

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-18-2018 05:50 AM

The regex string ".*" matches your examples, but is probably not what you need. Please provide complete events that put your target strings in context. Specify what you want extracted from the events. If you describe what you want in words, someone should be able to convert that into a regex.

---
If this reply helps you, Karma would be appreciated.
Reply

itionet
New Member
‎09-18-2018 09:40 PM

I figured it out. Thanks for the help.

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎09-20-2018 03:23 PM

@itionet

I'm glad you figured out an answer to your question. Would you mind creating an answer post describing how you were able to solve your problem and then approving it? That way, others could learn from your problem in the future.

Thanks!

0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎09-19-2018 05:34 AM

Hi.. maybe, you can update your REX command(as an answer), so that it will be helpful for others in the future.. and then please accept your answer as accepted answer

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

itionet
New Member
‎09-18-2018 09:34 PM

So, this is basically what I'm looking at:

Sep 18 22:12:48 hostname.domain %STRING-A:WD %SECSD-4-DS_S: A bunch of text that doesn't matter.
Sep 18 22:12:48 hostname.domain %STRONG-A:SD %LOSSD-3-DACS: A bunch of text that doesn't matter.
Sep 18 22:12:48 hostname.domain %STRANG-A:FD %SESDA-9-BSCS: A bunch of text that doesn't matter.
Sep 18 22:12:48 hostname.domain : hostname.domain %STRANG-A:FD %SESDA-9-BSCS: A bunch of text that doesn't matter.

As you can see the string I want to pull out is usually in position 5, the first one being SECSD-4-DS_S. However, sometimes it is in position 6. I want to pull it out of the string no matter the position. The string will always be some number of uppercase letters followed by a - (dash), followed by a digit, followed by another dash, and then some number of uppercase and non-alphanumeric characters.

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...