Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting two types of fields in a query (IFX)

HelpMePlease
Explorer
‎07-25-2013 11:42 PM

I have my xml data HERE, I need to extract using Splunk IFX, Generated pattern (regex).

Example Xml: (22/7)17:53 Accident on AYE (towards Tuas) after Jurong Port Rd Exit. Avoid lane 3./d:Message

I have this expression that extract from word after until Exit.
(?i) after (?P.[^.]*?Exit)

As this look for word Exit only, how do I add other situation such as Rd|Entrance ?
I tried (?i) after (?P.[^.]*?(Exit|Entrance|Rd)), it gives me Invalid regex: no named extraction at position 39 (i.e., "?(Exit|Ent..."). Expected "(?Ppattern)"

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HelpMePlease
Explorer
‎07-26-2013 01:53 AM

After hours of trying, solved by (?i) (?P<dummyone>on) (?P<onexpressway>[^.]+?)\s+(?:\([^)]*?\)\s+)?(?P<dummytwo>at|after|before) (?P<locationaccident>[^.]*?(?P<dummythree>Exit|Flyover|Tunnel|Exit\.|Rd\.|Entrance\.|Ave\.|Avenue\.|North\.|South\.|East\.|West\.|[1-99]\.|BKE\.|SLE\.|CTE\.|ECP\.|KJE\.|TPE\.|PIE\.|AYE\.|Kayu\.|Way\.|Halus\.|Circus\.|Link\.|Highway\.|Tuas\.|Bahagia\.|Merah\.|Limau\.|Park\.|Lay\.|Drive\.|Dr\.|Queensway\.|Village\.|Town\.|Crescent\.|Link\.|Payoh\.|Kechil\.|Central\.))

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

HelpMePlease
Explorer
‎07-26-2013 01:53 AM

After hours of trying, solved by (?i) (?P<dummyone>on) (?P<onexpressway>[^.]+?)\s+(?:\([^)]*?\)\s+)?(?P<dummytwo>at|after|before) (?P<locationaccident>[^.]*?(?P<dummythree>Exit|Flyover|Tunnel|Exit\.|Rd\.|Entrance\.|Ave\.|Avenue\.|North\.|South\.|East\.|West\.|[1-99]\.|BKE\.|SLE\.|CTE\.|ECP\.|KJE\.|TPE\.|PIE\.|AYE\.|Kayu\.|Way\.|Halus\.|Circus\.|Link\.|Highway\.|Tuas\.|Bahagia\.|Merah\.|Limau\.|Park\.|Lay\.|Drive\.|Dr\.|Queensway\.|Village\.|Town\.|Crescent\.|Link\.|Payoh\.|Kechil\.|Central\.))

0 Karma
Reply
Solved! Jump to solution

HelpMePlease
Explorer
‎07-28-2013 11:13 PM

Splunk doesn't like unnamed groups. Hope this will help some people 😃

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...