- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can you help me with the following regex expr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have events from which I need to extract the strings that fall before the string "raced to road"
Here is a sample event:
'com.pyxis.greengoblin.phutan' - 'PhutanAgile' raced to road.
Error creating bean with name 'sampleDataGeneratorImpl' defined in URL [bundle://187.0:1/com/bsassian/greengoblin/sampledata/SampleDataGeneratorImpl.class]:
It was loaded from /bsahare/bsaassian/application-data/jirabiz/plugins/installed-plugins/plugin.8763102878749631573.loovytuner-5.5.28.jar
'com.bsa.phutan.plugins.bsa-development-integration-blogin' - 'Bsassian Phutan - blogins - Development Integration blogin' raced to road.
The Strings that need to be extracted in the above sample events are 'PhutanAgile' and 'Bsassian Phutan - blogins - Development Integration blogin'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @zacksoft,
Try this:
|rex max_match=0 "(?<a>[^']+)\'\s*raced to road"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The simplistic (.*)raced to road. extracts it ; - )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @zacksoft,
Try this:
|rex max_match=0 "(?<a>[^']+)\'\s*raced to road"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@493669 Thanks for the help. Where is the extracted string getting stored. I need to use the extracted string in a table command.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
field is extracted in fieldname a you can change as per your need to show it in table
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Almost, but he doesn't want the entire string, just the bit in between ' right in front of "raced to road".
So it should be: [^\']+?(?=\'\s+raced to road)
https://regex101.com/r/0A66nK/2
But the solution presented by @493669 seems to be a lot more efficient (factor 30 in steps reported by regex101).
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
