Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extracting words in a string with regular expressions

7ryota
Explorer
‎01-11-2022 10:54 PM

Hi,

i need help to extract word from a string

 

string

Security agent installation attempted Endpoint: (Not Found)
Security agent intstallation attempted Endpoint: hostname

 

result

Not Found

hostname

 

how can i construct a regular expression to extract out what i wanted?

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-12-2022 12:38 AM 
| rex ":\s+\(*(?<result>[^)]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎01-12-2022 12:04 AM

not sure how to remove the ")" at the "Not Found)"

|makeresults | eval string="Security agent installation attempted Endpoint: (Not Found)
Security agent intstallation attempted Endpoint: hostname" 
| rex field=string max_match=0 ":\s+\(?(?P<result>.+)"
|table string result

rex-string.png

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-11-2022 11:27 PM

Hi @7ryota,

you could use two regexes like the following:

| rex ":\s+\(*(?<result>.+)"
| rex field=result "^(?<result>[^)]+)"

The first extract the full value and the second deletes the parenthesis when present.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-12-2022 12:38 AM 
| rex ":\s+\(*(?<result>[^)]+)"
0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎01-12-2022 05:48 AM

Hi @ITWhisperer ... i am trying to learn and understand your rex, as i ran it, but it does not fetch the string.. not sure what went wrong.. please suggest. 

i used this search: 

|makeresults | eval string="Security agent installation attempted Endpoint: (Not Found) 
Security agent intstallation attempted Endpoint: hostname" 
| rex ":\s+\(*(?<result>[^)]+)"
|table string result

rex-string1.png

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-12-2022 06:08 AM

By default, rex operates on the _raw field. Either change your eval so it assigns to _raw rather than string or add field=string to the rex

Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎01-12-2022 07:35 AM

Sure @ITWhisperer , but, still it found only first match.. the "hostname" was not matched.. 

rex-string2.png

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-12-2022 08:05 AM

You can use rex max_match=0 to get multiple matches

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...