Splunk Search

Extracting words in a string with regular expressions

Path Finder

Hi,

I'm struggling to get a regular expression for characters in a string.

https://status.aws.amazon.com/rss/#elb-us-west-1.rss

I need "#elb" , but this string is changed each event.
(for example, #ec2, #s3,#cloudwatch etc...)

so,I want to extract all name, but I can not extract this string.
(I made [#]\w* but it does not work.)

How can I write a regular expression that gets a string starting with #?

Thank you for helping.

0 Karma
1 Solution

Builder

This will get the string immediately after the # and before the next minus sign:

| rex "#(?<something>[^\-]+)"

If you need everything up to the .rss, then:

| rex "#(?<something>[^\.]+)"

If this doesn't work, then please post more event samples.

View solution in original post

Builder

This will get the string immediately after the # and before the next minus sign:

| rex "#(?<something>[^\-]+)"

If you need everything up to the .rss, then:

| rex "#(?<something>[^\.]+)"

If this doesn't work, then please post more event samples.

View solution in original post

Champion

Hi

Try this,

| makeresults 
| eval temp="https://status.aws.amazon.com/rss/#elb-us-west-1.rss" 
| rex field=temp "(?P<result>#[^\/]+$)" 
| eval result =mvindex(split(result,"-"),0)

Path Finder

Thank you for helping me.

I never thought of it!!

elb was extracted.

Thank you.

However, in addition to #elb, I want the names of other names such as # ec2 and # s3.
I want all the #service names for the data I got.
(This http: // ******* will change depending on the service, and there is already a field called id)
so, I changed

| makeresults

| rex field=id "(?P#[^\/]+$)"
| eval result =mvindex(split(result,"-"),0)

But, it does not work.
I'm sorry for my English is bad.

0 Karma

Path Finder

Thank you for helping.
There are a lot of different URL in the field called id.

id field has many URL.
For example,
https://status.aws.amazon.com/rss/#elb-us-west-1.rss

https://status.aws.amazon.com/rss/#ec2-us-west-1.rss

https://status.aws.amazon.com/rss/#apigateway-ap-northeast-2.rss

https://status.aws.amazon.com/rss/#apigateway-eu-central-1

I want to extract olny #names.
such as

ec2

s3

apigateway

elb

I'm sorry for I can not attach pictures.

0 Karma

Champion

Hi

Try this

| makeresults 
| eval id="https://status.aws.amazon.com/rss/#elb-us-west-1.rss,https://status.aws.amazon.com/rss/#ec2-us-west-1.rss,https://status.aws.amazon.com/rss/#apigateway-ap-northeast-2.rss,https://status.aws.amazon.com/rss/#apigateway-eu-central-1" 
| makemv delim="," id 
| mvexpand id 
| rex field=id "(?P<result>#[^\/]+$)" 
| eval result =mvindex(split(result,"-"),0)
0 Karma

Champion

Please post some more sample data.

0 Karma

Path Finder

Thank you for your help.

There are a lot of different URL in the field called id.

For example,
https://status.aws.amazon.com/rss/#elb-us-west-1.rss

https://status.aws.amazon.com/rss/#ec2-us-west-1.rss

https://status.aws.amazon.com/rss/#apigateway-ap-northeast-2.rss

https://status.aws.amazon.com/rss/#apigateway-eu-central-1

I want to extract only #name.

ec2

s3

apigateway

elb

I'm sorry for I can not attach pictures.

0 Karma

Path Finder

Hello @pipipipi,

You can use an eval also, like this:

index=**** | eval str="https://status.aws.amazon.com/rss/#elb-us-west-1.rss" , name=mvindex(split(mvindex(split(str,"#"),1),"-"),0)
| dedup str, name | table str, name.

0 Karma