Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract string from VERTICA-MIB::vertHostName = STRING: "vertica-1"

ispdev
New Member
‎03-11-2013 04:23 AM

This is the string :
VERTICA-MIB::vertHostName = STRING: "vertica-1"

i'm trying to extract the hostname so added the following at props.conf:

EXTRACT-vertHostName = ((?(<name>)yes|VERTICA-MIB::vertHostName\s=\sSTRING:\s\")(?<vertHostName>[^"]+))

which returns:
STRING: "vertica-1"

need to return:
vertica-1

Tags (1)
0 Karma
Reply

ispdev
New Member
‎03-13-2013 12:24 AM

OK this works fine on splunk:
EXTRACT-vertHostName = .+VERTICA-MIB::vertHostName\s=\sSTRING:\s\"(?[^\"]+)

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-11-2013 06:15 AM

Your regex is pulling all of the string initially. You have 5 capture groups, only 2 of which are named. Try this.

EXTRACT-vertHostName = VERTICA-MIB::vertHostName\s*=\s*STRING:\s*"(?<vertHostName)[^"]*)"

0 Karma
Reply

ispdev
New Member
‎03-11-2013 07:29 AM

there is a ( missing here...
and > missing i think...

i also checked this
((?()yes|VERTICA-MIB::vertHostName\s=\sSTRING:\s\")([^"]+))

with a regexp tool "Regulator" and it seems to work fine there.
at splunk i just add the ? but it keeps returning:
STRING: "vertica-1"

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...