Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with regex in transforms

a212830
Champion
‎06-14-2019 08:58 AM

Hi,

I'm hoping that someone can help me with a regex.

Here's the source data:

<OTHERFIELD>some values</OTHERFIELD><COMPID>string1 node 1</COMPID><MOREOTHERFIELDS>more values</MOREOTHERFIELDS>

I need to extract everything between the COMPID brackets. I have the following, but it's grabbing the extra bracket at the end.

REGEX = \<COMPID\>(?<dvcTEST>\w*\s)

I've tried regex101 site, but wasn't able to get it right.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jnudell_2
Builder
‎06-14-2019 09:49 AM

Hi @a212830 ,
I would do this as a one-liner in props.conf:

EXTRACT-compid = \<COMPID\>(?<dvcTEST>[^\<]+)\<\/COMPID\>

But if you REALLY want to do it in props.conf & transforms.conf:
props.conf

REPORT-extract_compid = extract_compid

transforms.conf

[extract_compid]

REGEX = &lt;COMPID&gt;(?<dvcTEST>[^&lt;]+)&lt;\/COMPID&gt;

FORMAT = dvcTEST::$1

View solution in original post

Reply
Solved! Jump to solution

wneighbo
New Member
‎06-14-2019 10:02 AM

Try this:

<\COMPID>(.*?)<

*take out \ in <\COMPID>

0 Karma
Reply
Solved! Jump to solution
Solution

jnudell_2
Builder
‎06-14-2019 09:49 AM

Hi @a212830 ,
I would do this as a one-liner in props.conf:

EXTRACT-compid = \<COMPID\>(?<dvcTEST>[^\<]+)\<\/COMPID\>

But if you REALLY want to do it in props.conf & transforms.conf:
props.conf

REPORT-extract_compid = extract_compid

transforms.conf

[extract_compid]

REGEX = &lt;COMPID&gt;(?<dvcTEST>[^&lt;]+)&lt;\/COMPID&gt;

FORMAT = dvcTEST::$1

Reply
Solved! Jump to solution

a212830
Champion
‎06-14-2019 10:06 AM

Thanks. I like that better. What if I just wanted the first word between the brackets? I have similiar ones where only the first word is needed.

0 Karma
Reply
Solved! Jump to solution

jnudell_2
Builder
‎06-14-2019 11:38 AM

Then you would use a regex match for any non-whitespace character. As an example:
Instead of [^\<]+
Use \S+

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎06-14-2019 12:42 PM

Tried this, but it didn't work:

EXTRACT-testcompid = \<COMPID\>(?<testdvc>\S+)\<\/COMPID\>

I'm trying to get the first word between the COMPID brackets.

0 Karma
Reply
Solved! Jump to solution

wneighbo
New Member
‎06-14-2019 12:56 PM

add .*? after your named group or remove <\/COMPID>

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎06-14-2019 01:00 PM

So, this? EXTRACT-testcompid = \<COMPID\>(?<testdvc>.*?)\<\/COMPID\>

I tried it in regex101, and it didn't get anything.

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎06-14-2019 01:11 PM

Elimnated the COMPID, and it worked. Thanks everyone! Much appreciated.

0 Karma
Reply
Solved! Jump to solution

jnudell_2
Builder
‎06-14-2019 01:13 PM

This would work: EXTRACT-testcompid = \<COMPID\>(?<testdvc>\S+).*?\<\/COMPID\>
But using: EXTRACT-testcompid = \<COMPID\>(?<testdvc>\S+) works as well.

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-14-2019 09:05 AM

Does this do the trick?

(?[\w\s]+)<\/COMPID>

0 Karma
Reply
Solved! Jump to solution

a212830
Champion
‎06-14-2019 09:37 AM

This is in transforms.conf, so where would the field get defined? I tried that, it errors out when restarting the search-head:

REGEX = \<COMPID\>(?[\w\s]+)<\/COMPID>
0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques (Part 6)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...
Top