Splunk Search

Help using regex to break a comma separated string

mdurdel
New Member

I have a text string field in my events which contains one or many date/time stamps within the string. The string is comma separated with a leading comma at the beginning of the string and no trailing comma at the end.

Example String:

,05-NOV-19 10.24.36.309000 PM AMERICA/CHICAGO,08-NOV-19 12.30.05.471000 PM AMERICA/CHICAGO,08-NOV-19 12.32.28.525000 PM AMERICA/CHICAGO

I need help writing a regex/rex statement that will break this string and return only the first date/time stamp as emboldened above.

Any help is appreciated.

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

... | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"

View solution in original post

0 Karma

dchando
Engager

Hi,

 

While using split I am facing an issue, in my events I have null values for a filed sometimes.

for sexample -

f1,f2,f3,f4,f5 - this works perfectly

but below data with missing values in few fields giving issues.

f1,f2,,,f5

split commands suggests f5 is f4 

 

Can this be handled ?

 

Thanks in advance!!!

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex field=ExistingFieldMaybe_raw "[,\s]+(?<MyCaptureFieldName>[^,]+)"
0 Karma

mdurdel
New Member

@woodcock...Thank you for the response. This did work to extract the value I am looking for.

0 Karma

arjunpkishore5
Motivator

You just need the first in the list, use max_match=1

| rex field=<your field> max_match=1 ",(?<first_field>[^,]+)"
0 Karma

mdurdel
New Member

@arjunpkishore5...Thank you for the response. This did work to extract the value I am looking for.

0 Karma

rashi83
Path Finder

Hi , I have this regular expression - [^"\n]"\w+\s+(?P[^"]+)
but when I try to do | rex field =_raw "[^"\n]
"\w+\s+(?P[^"]+)" it doesn't work

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You don't have to use rex. Another way to do it is to use split to break the field at commas then use mvindex to grab the second value.

... | eval foo=mvindex(split(_raw, ","), 1)
---
If this reply helps you, Karma would be appreciated.

manuelostertag
Path Finder

Indeed, I didn't think to solve it with split 🙂

In this case split vs regex:
"Too easy - let's muddle it up some..."

0 Karma

mdurdel
New Member

@richgalloway...Thank you for the response. This did work to extract the value I am looking for.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@mdurdel, If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Anantha123
Communicator

Hi,

Try this

|rex field=_raw \,(?P<Date>[^\s]+) (?P<Time>[^\s]+) | table Date Time

Regards,
Anantha.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...