Splunk Search
Highlighted

Help with RegEX

Communicator

Hello to all..

I am attempting (partially succesfully so far) to extract some text. The problem I am having is that it is also extracting unwanted text past the vaue I am (obviously incorrectly) specifying as the end point.

The string I am trying to extract is (in this example) ALEXANDRIA
ALEXANDRIA (attempting to extract the text between > and <)

The expression I am using is
rex field=_raw "\(?\S+)\<"

However, when I run the search, I also get the proceeding text in the returned value below:
ALEXANDRIANSW2015AUAustralia

As I say it is sort of working but I am unsure as to how to instruct the expression to stop at the < after the suburb name.

Any help or pointers will be gratefully accepted.
---update--
The input string is

<mm:SuburbName>ALEXANDRIA</mm:SuburbName>

The suburb will vary

The output I am getting is

ALEXANDRIA</mm:SuburbName><mm:StateOrProvinceCode>NSW</mm:StateOrProvinceCode><mm:PostalCode>2015</mm:PostalCode><mm:CountryCode>AU</mm:CountryCode><mm:CountryName>Australia</mm:CountryName>

Cheers all.

Alastair

0 Karma
Highlighted

Re: Help with RegEX

Contributor

Can you share a sample of the data set you are trying to work with?

Please enclose the example within the code sample (5th button on the textbox toolbox) so that the brackets arent removed.

0 Karma
Highlighted

Re: Help with RegEX

Communicator

Hello...

Sorry was just trying to work out how to do that 🙂

The expression I am using is rex field=_raw "\(?\S+)\<" and the output I am getting is
ALEXANDRIANSW2015AUAustralia

Hope this is as needed

0 Karma
Highlighted

Re: Help with RegEX

Communicator

Arrgghh.. will try again

RegEx = "rex field=_raw "\(?\S+)\<""

Output

"ALEXANDRIANSW2015AUAustralia"

0 Karma
Highlighted

Re: Help with RegEX

Communicator

Sorry... cannot get the RegEx string to display. Have tried using both and "`" but the string keeps getting chopped off.

Any other suggestions ?

0 Karma
Highlighted

Re: Help with RegEX

Contributor

We would need to see the input event so that we can help with the regex query.

0 Karma
Highlighted

Re: Help with RegEX

Communicator
`rex field=_raw  "\<mm\:SuburbName+\>(?<Suburb>\S+)\<"`
0 Karma
Highlighted

Re: Help with RegEX

Communicator

The input string is

<mm:SuburbName>ALEXANDRIA</mm:SuburbName>

The suburb will vary

The output I am getting is

ALEXANDRIA</mm:SuburbName><mm:StateOrProvinceCode>NSW</mm:StateOrProvinceCode><mm:PostalCode>2015</mm:PostalCode><mm:CountryCode>AU</mm:CountryCode><mm:CountryName>Australia</mm:CountryName>
0 Karma
Highlighted

Re: Help with RegEX

Communicator

So I am trying to extract the text string between > and < in this case ALEXANDRIA

0 Karma
Highlighted

Re: Help with RegEX

Explorer

Let me introduce you to my personal savior: RegEx101.com

(?i)SuburbName\>(?P\w+)\<