Splunk Search

How do I use regex to extract value in parenthesis preceded by parenthesis?

aramakrishnan
New Member

I have the following log(s) from which I want to extract the value inside the parenthesis. The parenthesis field is preceded by 2 other values in parenthesis, and is followed by the statement "No activation date"

{2015-09-24} {465456] [N1234SYS04] No activation date and no log bytes available.

I would like to extract the value in the 3rd paranethesis (i.e. N1234SYS04) as it is a valuable ID field that is not getting parsed into a field on Splunk. I'd like to use the regex command but I'm not sure what my syntax should be (rex field = _raw(......))

Any help would be great. Thanks!

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi aramakrishnan,

you can try this regex:

your base search here | rex field=_raw "\[(?<ID>[^\]]*)" | do further splunk fu with ID

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi aramakrishnan,

you can try this regex:

your base search here | rex field=_raw "\[(?<ID>[^\]]*)" | do further splunk fu with ID

Hope this helps ...

cheers, MuS

View solution in original post

aramakrishnan
New Member

This extracts the field but the issue is that there are actually 2 other fields that are preceded by the field I want, which also have the same format i.e. [2015-09-24][465456][N1234SYS04]. Using the rex syntax you provided pulls information from the first one, but I want it from the 3rd parenthesis (i.e. I want the field to only show N1234SYS04, but currently its showing 2015-09-24). How can I specify which parenthesis I want to start the extraction from?

0 Karma

wrangler2x
Motivator

The original example you gave shows {} for the first, {] for the second, and [] for the third. With that data sample @Mus rex would work perfectly.

If in fact you have [] [] [] then you can modify Mus rex this way:

... | rex field=_raw "\[.*?\]\s+\[.*?\]\s+\[(?<ID>[^\]]*)" | stats count by ID

aramakrishnan
New Member

Thank you so much @wrangler2x and @Mus. That worked perfectly.

0 Karma

MuS
SplunkTrust
SplunkTrust

tested and working with this regex:

/opt/splunk/bin/splunk cmd pcregextest mregex="(\[[^\]]*\]){2}\[(?<ID>[^\]]*)" test_str="[2015-09-24][465456][N1234SYS04]. 
> "

Original Pattern: '(\[[^\]]*\]){2}\[(?<ID>[^\]]*)'
Expanded Pattern: '(\[[^\]]*\]){2}\[(?<ID>[^\]]*)'
Regex compiled successfully. Capture group count = 2. Named capturing groups = 1.
SUCCESS - match against: '[2015-09-24][465456][N1234SYS04]. 
'

#### Capturing group data ##### 
Group |            Name | Value
--------------------------------------
    1 |                 | [465456]
    2 |              ID | N1234SYS04

so use it like this:

your base search here | rex field=_raw "(\[[^\]]*\]){2}\[(?<ID>[^\]]*)" | ...
0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!