Solved: Re: Help using regex to break a comma separated st...

mdurdel · ‎11-08-2019

I have a text string field in my events which contains one or many date/time stamps within the string. The string is comma separated with a leading comma at the beginning of the string and no trailing comma at the end.

Example String:

,05-NOV-19 10.24.36.309000 PM AMERICA/CHICAGO,08-NOV-19 12.30.05.471000 PM AMERICA/CHICAGO,08-NOV-19 12.32.28.525000 PM AMERICA/CHICAGO

I need help writing a regex/rex statement that will break this string and return only the first date/time stamp as emboldened above.

Any help is appreciated.

woodcock · ‎11-09-2019

Like this:

... | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"

View solution in original post

dchando · ‎01-05-2021

Hi,

While using split I am facing an issue, in my events I have null values for a filed sometimes.

for sexample -

f1,f2,f3,f4,f5 - this works perfectly

but below data with missing values in few fields giving issues.

f1,f2,,,f5

split commands suggests f5 is f4

Can this be handled ?

Thanks in advance!!!

woodcock · ‎11-09-2019

Like this:

... | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"

mdurdel · ‎11-11-2019

@woodcock...Thank you for the response. This did work to extract the value I am looking for.

arjunpkishore5 · ‎11-09-2019

You just need the first in the list, use max_match=1

| rex field=<your field> max_match=1 ",(?<first_field>[^,]+)"

mdurdel · ‎11-11-2019

@arjunpkishore5...Thank you for the response. This did work to extract the value I am looking for.

rashi83 · ‎11-08-2019

Hi , I have this regular expression - [^"\n]"\w+\s+(?P[^"]+)
but when I try to do | rex field =_raw "[^"\n]"\w+\s+(?P[^"]+)" it doesn't work

richgalloway · ‎11-08-2019

You don't have to use rex. Another way to do it is to use split to break the field at commas then use mvindex to grab the second value.

... | eval foo=mvindex(split(_raw, ","), 1)

---
If this reply helps you, Karma would be appreciated.

manuelostertag · ‎12-20-2019

Indeed, I didn't think to solve it with split 🙂

In this case split vs regex:
"Too easy - let's muddle it up some..."

mdurdel · ‎11-11-2019

@richgalloway...Thank you for the response. This did work to extract the value I am looking for.

richgalloway · ‎11-11-2019

@mdurdel, If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

Anantha123 · ‎11-08-2019

Hi,

Try this

|rex field=_raw \,(?P<Date>[^\s]+) (?P<Time>[^\s]+) | table Date Time

Regards,
Anantha.

Help using regex to break a comma separated string

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

Index This | How do you write 23 only using the number 2?

Are you a member of the Splunk Community?

Help using regex to break a comma separated string

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

Index This | How do you write 23 only using the number 2?