Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extracting words in a string with regular expr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm struggling to get a regular expression for characters in a string.
https://status.aws.amazon.com/rss/#elb-us-west-1.rss
I need "#elb" , but this string is changed each event.
(for example, #ec2, #s3,#cloudwatch etc...)
so,I want to extract all name, but I can not extract this string.
(I made [#]\w* but it does not work.)
How can I write a regular expression that gets a string starting with #?
Thank you for helping.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This will get the string immediately after the # and before the next minus sign:
| rex "#(?<something>[^\-]+)"
If you need everything up to the .rss, then:
| rex "#(?<something>[^\.]+)"
If this doesn't work, then please post more event samples.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This will get the string immediately after the # and before the next minus sign:
| rex "#(?<something>[^\-]+)"
If you need everything up to the .rss, then:
| rex "#(?<something>[^\.]+)"
If this doesn't work, then please post more event samples.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try this,
| makeresults
| eval temp="https://status.aws.amazon.com/rss/#elb-us-west-1.rss"
| rex field=temp "(?P<result>#[^\/]+$)"
| eval result =mvindex(split(result,"-"),0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for helping me.
I never thought of it!!
elb was extracted.
Thank you.
However, in addition to #elb, I want the names of other names such as # ec2 and # s3.
I want all the #service names for the data I got.
(This http: // ******* will change depending on the service, and there is already a field called id)
so, I changed
| makeresults
| rex field=id "(?P#[^\/]+$)"
| eval result =mvindex(split(result,"-"),0)
But, it does not work.
I'm sorry for my English is bad.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for helping.
There are a lot of different URL in the field called id.
id field has many URL.
For example,
https://status.aws.amazon.com/rss/#elb-us-west-1.rss
https://status.aws.amazon.com/rss/#ec2-us-west-1.rss
https://status.aws.amazon.com/rss/#apigateway-ap-northeast-2.rss
https://status.aws.amazon.com/rss/#apigateway-eu-central-1
I want to extract olny #names.
such as
ec2
s3
apigateway
elb
I'm sorry for I can not attach pictures.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try this
| makeresults
| eval id="https://status.aws.amazon.com/rss/#elb-us-west-1.rss,https://status.aws.amazon.com/rss/#ec2-us-west-1.rss,https://status.aws.amazon.com/rss/#apigateway-ap-northeast-2.rss,https://status.aws.amazon.com/rss/#apigateway-eu-central-1"
| makemv delim="," id
| mvexpand id
| rex field=id "(?P<result>#[^\/]+$)"
| eval result =mvindex(split(result,"-"),0)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please post some more sample data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your help.
There are a lot of different URL in the field called id.
For example,
https://status.aws.amazon.com/rss/#elb-us-west-1.rss
https://status.aws.amazon.com/rss/#ec2-us-west-1.rss
https://status.aws.amazon.com/rss/#apigateway-ap-northeast-2.rss
https://status.aws.amazon.com/rss/#apigateway-eu-central-1
I want to extract only #name.
ec2
s3
apigateway
elb
I'm sorry for I can not attach pictures.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @pipipipi,
You can use an eval also, like this:
index=**** | eval str="https://status.aws.amazon.com/rss/#elb-us-west-1.rss" , name=mvindex(split(mvindex(split(str,"#"),1),"-"),0)
| dedup str, name | table str, name.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
