Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

How do I write the regex to extract information within parenthesis?

BC88
New Member
โ€Ž11-18-2015 05:51 PM

Hey there,

I have been banging my head over this issue. Basically, I am searching a sourcetype for, let's call it, "X".

This search returns something along the lines of:

"Useless data here (Important Data)"

I am trying to display all of the information inside the parenthesis. I was looking at rex and regex and couldn't figure out how to word the syntax.

Any help would be appreciated!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
โ€Ž11-18-2015 06:07 PM

Hi BC88,

based on your provided example run this regex:

 your base search here sourcetype=X |rex "\((?<myData>[^\)]+)\)" | ...

This will create a new field called myData which you can rename if needed ๐Ÿ˜‰

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
โ€Ž11-18-2015 06:07 PM

Hi BC88,

based on your provided example run this regex:

 your base search here sourcetype=X |rex "\((?<myData>[^\)]+)\)" | ...

This will create a new field called myData which you can rename if needed ๐Ÿ˜‰

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

sjbriggs
Explorer
โ€Ž08-27-2019 09:44 AM

Struggled with this for two days until I found your answer. Thanks!

0 Karma
Reply