Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extraction using regular expressions

honobe
Explorer
‎07-26-2017 02:52 AM

I want to extract a character string using a regular expression.

I am considering extracting the field (message ID) using the rex command, but I can not extract it with regular expressions.

Message ID = '< xxxxxxxx>'

※I want to extract characters between 「'<」 and 「>'」
※There is no space in the actual log.

I want to extract xxxxxxxx and make the field of message ID have the following form.

Message ID = xxxxxxxx

What kind of regular expression can I use to extract xxxxxxxx?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎07-26-2017 03:29 AM

Try the following run-anywhere example.

| makeresults 
| eval _raw = "Message ID = '< xxxxxxxx>'"
| rex field=_raw "Message ID = '<(?<MessageID>[^>]+)>'"

You can test the rex with your sample events. Eventually, create a Field Extraction Knowledge Object for the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎07-26-2017 03:34 AM

Hi honobe,

based on the provided information this regex:

 '<(?<Message_ID>[^>]+)>'

will match everything between '< and >' and use the match in the new field called Message_ID.

This is a really basic example and can be optimised but I hope it helps to get you started ...

btw don't use field names with spaces 😉

cheers, MuS

Reply
Solved! Jump to solution

honobe
Explorer
‎07-26-2017 04:38 AM

Thank you very much.
Thanks to your answer, I was able to solve the problem.

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎07-26-2017 03:29 AM

Try the following run-anywhere example.

| makeresults 
| eval _raw = "Message ID = '< xxxxxxxx>'"
| rex field=_raw "Message ID = '<(?<MessageID>[^>]+)>'"

You can test the rex with your sample events. Eventually, create a Field Extraction Knowledge Object for the same.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

honobe
Explorer
‎07-26-2017 04:39 AM

Thank you very much.
Thanks to your answer, I was able to solve the problem.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎07-26-2017 03:37 AM

typing too slow...again

Just a little tip: there is actually no need to escape the > inside of the [...] it will also work without the escaping

Reply
Solved! Jump to solution

niketn
Legend
‎07-26-2017 04:49 AM

Thanks @Mus, I have corrected. But \ in regular expression also tells match exactly. It works either way, I missed removing it.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...