Splunk Search

Extracting words in a string with regular expressions

7ryota
Explorer

Hi,

i need help to extract word from a string

 

string

Security agent installation attempted Endpoint: (Not Found)
Security agent intstallation attempted Endpoint: hostname

 

result

Not Found

hostname

 

how can i construct a regular expression to extract out what i wanted?

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| rex ":\s+\(*(?<result>[^)]+)"

View solution in original post

0 Karma

inventsekar
Ultra Champion

not sure how to remove the ")" at the "Not Found)"

|makeresults | eval string="Security agent installation attempted Endpoint: (Not Found)
Security agent intstallation attempted Endpoint: hostname" 
| rex field=string max_match=0 ":\s+\(?(?P<result>.+)"
|table string result

rex-string.png

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @7ryota,

you could use two regexes like the following:

| rex ":\s+\(*(?<result>.+)"
| rex field=result "^(?<result>[^)]+)"

The first extract the full value and the second deletes the parenthesis when present.

Ciao.

Giuseppe

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex ":\s+\(*(?<result>[^)]+)"
0 Karma

inventsekar
Ultra Champion

Hi @ITWhisperer ... i am trying to learn and understand your rex, as i ran it, but it does not fetch the string.. not sure what went wrong.. please suggest. 

i used this search: 

|makeresults | eval string="Security agent installation attempted Endpoint: (Not Found) 
Security agent intstallation attempted Endpoint: hostname" 
| rex ":\s+\(*(?<result>[^)]+)"
|table string result

rex-string1.png

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

By default, rex operates on the _raw field. Either change your eval so it assigns to _raw rather than string or add field=string to the rex

inventsekar
Ultra Champion

Sure @ITWhisperer , but, still it found only first match.. the "hostname" was not matched.. 

rex-string2.png

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You can use rex max_match=0 to get multiple matches

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...