Splunk Search

How can I extract these 3 values from this string via regex?

vinay4444
Explorer

Hi

I need a regex match on the below pattern. I need to capture 3 values from

"ms.db.tablespace_status_ind[DBID_FACT_D03,NORMAL]"

name -> ms.db.tablespace_status_ind
table-> DBID_FACT_D03
status-> NORMAL

0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Based on your sample event:

^(?<capture1>[^\[]+)\[(?<capture2>[^\,]+),(?<capture3>[^\]]+)\]

You can rename the capture groups to fix your needs... This also assumes that there are not quotes enclosing the event, and that its starts from the beginning of the line.

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

Based on your sample event:

^(?<capture1>[^\[]+)\[(?<capture2>[^\,]+),(?<capture3>[^\]]+)\]

You can rename the capture groups to fix your needs... This also assumes that there are not quotes enclosing the event, and that its starts from the beginning of the line.

Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...