Solved: Re: Extract Fields Using RegEx

kramsay · ‎01-30-2014

I am having trouble trying to parse data from a raw event line.

The raw event come in 2 different ways further below using the following regex info

(?i)^(?:[^^]*^){2}(?P[^^]+)

The issue is some have ^ and others %5E is there a way to capture both in the extraction?

[30/Jan/2014:04:59:58 +0000] "GET /t25f.png?Starcom_CrystalLight_CrystalLight_BS_Visor1_3023150_5184568%5E5184568%5E23255909%5E3098598 HTTP/1.1" 200 h://cms.springboard.gorillanation.com/embed_iframe/1085/video/854883/tjbr001/thejasminebrand.com/10"

&

[30/Jan/2014:04:59:59 +0000] "GET /s75t.png?Starcom_ChrystalLight_ChrystalLight_CU_Visor1_3023150_5170050^5170050^23244639^2844787^^NoOfSlates=1^CurrentSlate=1 HTTP/1.1" 200 h://www.pch.com/entryintervid?crmN=2014JanTVPC1En"

Thanks you all for any help.

somesoni2 · ‎01-30-2014

Try this workaround

your base search ..| eval new_raw=replace(_raw,"%5E","^")| rex field=new_raw "(?i)^(?:[^(\^)]*(\^)){2}(?P<bannerid>[^\^]+)"

View solution in original post

David · ‎01-30-2014

This regex seems to work well on regexr:

GET(?:.*?(?:\^|%5E)){2}(?<bannerid>.*?)(?:\^|%5E)

Does that get you what you're looking for?

somesoni2 · ‎01-30-2014

Try this workaround

your base search ..| eval new_raw=replace(_raw,"%5E","^")| rex field=new_raw "(?i)^(?:[^(\^)]*(\^)){2}(?P<bannerid>[^\^]+)"

kramsay · ‎01-30-2014

Yes you are correct.

kristian_kolb · ‎01-30-2014

Am I correct in guessing that you want to extract

- 23255909 from the first event
- 23244639 from the second event

Extract Fields Using RegEx

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor