Solved: Re: Help with regex in transforms

a212830 · ‎06-14-2019

Hi,

I'm hoping that someone can help me with a regex.

Here's the source data:

<OTHERFIELD>some values</OTHERFIELD><COMPID>string1 node 1</COMPID><MOREOTHERFIELDS>more values</MOREOTHERFIELDS>

I need to extract everything between the COMPID brackets. I have the following, but it's grabbing the extra bracket at the end.

REGEX = \<COMPID\>(?<dvcTEST>\w*\s)

I've tried regex101 site, but wasn't able to get it right.

jnudell_2 · ‎06-14-2019

Hi @a212830 ,
I would do this as a one-liner in props.conf:

EXTRACT-compid = \<COMPID\>(?<dvcTEST>[^\<]+)\<\/COMPID\>

But if you REALLY want to do it in props.conf & transforms.conf:
props.conf

REPORT-extract_compid = extract_compid

transforms.conf

[extract_compid]

REGEX = &lt;COMPID&gt;(?<dvcTEST>[^&lt;]+)&lt;\/COMPID&gt;

FORMAT = dvcTEST::$1

View solution in original post

wneighbo · ‎06-14-2019

Try this:

<\COMPID>(.*?)<

*take out \ in <\COMPID>

jnudell_2 · ‎06-14-2019

Hi @a212830 ,
I would do this as a one-liner in props.conf:

EXTRACT-compid = \<COMPID\>(?<dvcTEST>[^\<]+)\<\/COMPID\>

But if you REALLY want to do it in props.conf & transforms.conf:
props.conf

REPORT-extract_compid = extract_compid

transforms.conf

[extract_compid]

REGEX = &lt;COMPID&gt;(?<dvcTEST>[^&lt;]+)&lt;\/COMPID&gt;

FORMAT = dvcTEST::$1

a212830 · ‎06-14-2019

Thanks. I like that better. What if I just wanted the first word between the brackets? I have similiar ones where only the first word is needed.

jnudell_2 · ‎06-14-2019

Then you would use a regex match for any non-whitespace character. As an example:
Instead of [^\<]+
Use \S+

a212830 · ‎06-14-2019

Tried this, but it didn't work:

EXTRACT-testcompid = \<COMPID\>(?<testdvc>\S+)\<\/COMPID\>

I'm trying to get the first word between the COMPID brackets.

wneighbo · ‎06-14-2019

add .*? after your named group or remove <\/COMPID>

a212830 · ‎06-14-2019

So, this? EXTRACT-testcompid = \<COMPID\>(?<testdvc>.*?)\<\/COMPID\>

I tried it in regex101, and it didn't get anything.

a212830 · ‎06-14-2019

Elimnated the COMPID, and it worked. Thanks everyone! Much appreciated.

jnudell_2 · ‎06-14-2019

This would work: EXTRACT-testcompid = \<COMPID\>(?<testdvc>\S+).*?\<\/COMPID\>
But using: EXTRACT-testcompid = \<COMPID\>(?<testdvc>\S+) works as well.

kmorris_splunk · ‎06-14-2019

Does this do the trick?

(?[\w\s]+)<\/COMPID>

a212830 · ‎06-14-2019

This is in transforms.conf, so where would the field get defined? I tried that, it errors out when restarting the search-head:

REGEX = \<COMPID\>(?[\w\s]+)<\/COMPID>

Help with regex in transforms

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

Developer Spotlight with Paul Stout