elb was extracted.

pipipipi · ‎08-08-2019

Hi,

I'm struggling to get a regular expression for characters in a string.

https://status.aws.amazon.com/rss/#elb-us-west-1.rss

I need "#elb" , but this string is changed each event.
(for example, #ec2, #s3,#cloudwatch etc...)

so,I want to extract all name, but I can not extract this string.
(I made [#]\w* but it does not work.)

How can I write a regular expression that gets a string starting with #?

Thank you for helping.

jpolvino · ‎08-08-2019

This will get the string immediately after the # and before the next minus sign:

| rex "#(?<something>[^\-]+)"

If you need everything up to the .rss, then:

| rex "#(?<something>[^\.]+)"

If this doesn't work, then please post more event samples.

View solution in original post

jpolvino · ‎08-08-2019

This will get the string immediately after the # and before the next minus sign:

| rex "#(?<something>[^\-]+)"

If you need everything up to the .rss, then:

| rex "#(?<something>[^\.]+)"

If this doesn't work, then please post more event samples.

vnravikumar · ‎08-08-2019

Hi

Try this,

| makeresults 
| eval temp="https://status.aws.amazon.com/rss/#elb-us-west-1.rss" 
| rex field=temp "(?P<result>#[^\/]+$)" 
| eval result =mvindex(split(result,"-"),0)

pipipipi · ‎08-08-2019

Thank you for helping me.

I never thought of it!!

elb was extracted.

Thank you.

However, in addition to #elb, I want the names of other names such as # ec2 and # s3.
I want all the #service names for the data I got.
(This http: // ******* will change depending on the service, and there is already a field called id)
so, I changed

| makeresults

| rex field=id "(?P#[^\/]+$)"
| eval result =mvindex(split(result,"-"),0)

But, it does not work.
I'm sorry for my English is bad.

pipipipi · ‎08-08-2019

Thank you for helping.
There are a lot of different URL in the field called id.

id field has many URL.
For example,
https://status.aws.amazon.com/rss/#elb-us-west-1.rss

https://status.aws.amazon.com/rss/#ec2-us-west-1.rss

https://status.aws.amazon.com/rss/#apigateway-ap-northeast-2.rss

https://status.aws.amazon.com/rss/#apigateway-eu-central-1

I want to extract olny #names.
such as

ec2

s3

apigateway

elb

I'm sorry for I can not attach pictures.

vnravikumar · ‎08-08-2019

Hi

Try this

| makeresults 
| eval id="https://status.aws.amazon.com/rss/#elb-us-west-1.rss,https://status.aws.amazon.com/rss/#ec2-us-west-1.rss,https://status.aws.amazon.com/rss/#apigateway-ap-northeast-2.rss,https://status.aws.amazon.com/rss/#apigateway-eu-central-1" 
| makemv delim="," id 
| mvexpand id 
| rex field=id "(?P<result>#[^\/]+$)" 
| eval result =mvindex(split(result,"-"),0)

vnravikumar · ‎08-08-2019

Please post some more sample data.

pipipipi · ‎08-08-2019

Thank you for your help.

There are a lot of different URL in the field called id.

For example,
https://status.aws.amazon.com/rss/#elb-us-west-1.rss

https://status.aws.amazon.com/rss/#ec2-us-west-1.rss

https://status.aws.amazon.com/rss/#apigateway-ap-northeast-2.rss

https://status.aws.amazon.com/rss/#apigateway-eu-central-1

I want to extract only #name.

ec2

s3

apigateway

elb

I'm sorry for I can not attach pictures.

Kawtar · ‎08-08-2019

Hello @pipipipi,

You can use an eval also, like this:

index=**** | eval str="https://status.aws.amazon.com/rss/#elb-us-west-1.rss" , name=mvindex(split(mvindex(split(str,"#"),1),"-"),0)
| dedup str, name | table str, name.

Extracting words in a string with regular expressions

elb was extracted.

ec2

s3

apigateway

elb

ec2

s3

apigateway

elb

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)