Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I extract text between 2 standard texts that may contain " . , ? / " ?

kostasKats
Explorer
‎07-10-2015 07:35 AM

I have this type of log:

Bin:456852 IssuingBank:PBS INTERNATIONAL A/S;DANSKE BANK;DANSKEBANK IssingCountry:DK IRF: Intra EEA CardProfile1:Consumer CardProfile2:Base

How can I extract : bank, issingcountry, IRF, Cardprofile1, CardProfile2? and then stats count by bank, issingcountry,IRF, Cardprofile1....

Can anyone please help me with this? anything I found in the forum did not work!

I tried something like this but I suppose I need sth upper level regex!

rex field=_raw "IssingCountry:(?<issingcountry>\w{2})" | rex field=_raw "IssuingBank:(?<bank>\w{13})"
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aholzel
Communicator
‎07-22-2015 04:32 AM

I think there are two problems.
First one is that in the field extract you give the field the name issingcountry but in the table you ask for the field issingCountry (note the capital C of country).
Second one is that the regex doesn't match the problem is with the IRF field in the extract you place a space after "IRF:" but in the sample this space doesn't exist so there is no match.

Also while you are editing the regex may I suggest you use this one:

IssuingBank:(?P<bank>[^,]+).*?IssingCountry:(?P<issingCountry>\w+)\sIRF:(?<IRF>.+?)\sCardProfile1:(?<cardProfile1>\w+)\sCardProfile2:(?P<cardProfile2>\w+)

The regex above only needs 107 steps to match all the fields while the regex that you use needs 2769 steps to match, this means that you will have a faster search.
(note: in the regex above I used a capital c in issingCountry)

View solution in original post

Reply
Solved! Jump to solution
Solution

aholzel
Communicator
‎07-22-2015 04:32 AM

I think there are two problems.
First one is that in the field extract you give the field the name issingcountry but in the table you ask for the field issingCountry (note the capital C of country).
Second one is that the regex doesn't match the problem is with the IRF field in the extract you place a space after "IRF:" but in the sample this space doesn't exist so there is no match.

Also while you are editing the regex may I suggest you use this one:

IssuingBank:(?P<bank>[^,]+).*?IssingCountry:(?P<issingCountry>\w+)\sIRF:(?<IRF>.+?)\sCardProfile1:(?<cardProfile1>\w+)\sCardProfile2:(?P<cardProfile2>\w+)

The regex above only needs 107 steps to match all the fields while the regex that you use needs 2769 steps to match, this means that you will have a faster search.
(note: in the regex above I used a capital c in issingCountry)

Reply
Solved! Jump to solution

kostasKats
Explorer
‎08-05-2015 01:23 AM

Dear aholzel I want your help again with something else:

Parameters: {"referrer"=>"http://www.xxxxx.net/transport_deeplink/4.0/EE/en-gb/EUR

I have this line and i want ot use a regex command (rex field=_raw) in order to count them by:

domain: http://www.xxxxx.net
country: EE
language: en-gb
currency: EUR

Can you please help me with this?

0 Karma
Reply
Solved! Jump to solution

kostasKats
Explorer
‎07-22-2015 05:27 AM

Thank you very very much! This worked perfect!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-10-2015 07:51 AM

This should be helpful:

... | rex "IssuingBank:(?P<bank>.+).*?IssingCountry:(?P<issingcountry>\w+) IRF: (?<IRF>[ \w]+) CardProfile1:(?<cardProfile1>\w+) CardProfile2:(?P<cardProfile2>\w+)" | stats count by bank, issingcountry, IRF, cardProfile1
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kostasKats
Explorer
‎07-13-2015 04:37 AM

Hello,

I used exactly what you proposed without the stat command and it seemed to work! But my initial purpose is to count them and export them into excel!

Do you have any idea how can I count them?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-19-2015 07:30 PM

Try ... | stats count(_time) by bank, issingcountry, IRF, cardProfile1

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kostasKats
Explorer
‎07-19-2015 11:54 PM

Unfortunately it did not work. If I had to guess, I would say that the extracting method is not working.

It should have worked as it was:

... | rex "IssuingBank:(?P.+).*?IssingCountry:(?P\w+) IRF: (?[ \w]+) CardProfile1:(?\w+) CardProfile2:(?P\w+)" | stats count by bank, issingcountry, IRF, cardProfile1

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-20-2015 07:20 AM

Didn't you say it worked without the stats command? That should mean the extraction is working.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kostasKats
Explorer
‎07-20-2015 07:34 AM

I thought that it worked but since I can not use stats count it showed me that it didn't!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-20-2015 11:28 AM

So what do you get?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kostasKats
Explorer
‎07-20-2015 11:52 PM

I am using this splunk version: 5.0.2, build 14956

It comes empty!! really appreciate your willingness to help out!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-21-2015 03:17 PM

If you run this query do you get any results?

... | rex "IssuingBank:(?P<bank>.+).*?IssingCountry:(?P<issingcountry>\w+) IRF: (?<IRF>[ \w]+) CardProfile1:(?<cardProfile1>\w+) CardProfile2:(?P<cardProfile2>\w+)" | table bank issingCountry IRF cardProfile1 cardProfile2
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kostasKats
Explorer
‎07-22-2015 01:29 AM

Empty results again! 😞

https://www.diigo.com/item/image/564dw/ytbe

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-22-2015 08:05 AM

So you're getting matching events, but no results. That means your data probably isn't matching the regex string. Please verify the output of flprd put/PAY matches your original post.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kostasKats
Explorer
‎07-10-2015 08:36 AM

Unfortunately it did not work!

The log is :

row1.....
row2....
row3....
row4....

18:00:19,727 INFO FlightsCostBasedGatewaySorter 5fd00a8d271411e598e306695ac8a534 BinInfo for Bin:656814 IssuingBank:SANTANDER, UK ?PLC IssingCountry:GB IRF:Intra EEA CardProfile1:Consumer CardProfile2:Base

I used this: 

rex field=_raw "IssuingBank:(?P.+).*?IssingCountry:(?P\w+) IRF: (?[ \w]+) CardProfile1:(?\w+) CardProfile2:(?P\w+)" | stats count by bank, issingcountry, IRF, cardProfile1
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-10-2015 08:44 AM

One of the reasons it did not work is you removed the field extractions from the regex string. Please try again using the regex in my answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kostasKats
Explorer
‎07-10-2015 08:51 AM

I used this: (like before, I miss typed what I used!) 

rex "IssuingBank:(?P.+).*?IssingCountry:(?P\w+) IRF: (?[ \w]+) CardProfile1:(?\w+) CardProfile2:(?P\w+)" | stats count by bank, issingcountry, IRF, cardProfile1

And it did not work: No results found. Inspect ... !

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-10-2015 09:45 AM

I still don't see the same regex as is in my answer. Try removing the stats command to see if you're getting data extracted from the events.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...