Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I write the regex to extract these 3 fields from my sample data?

adicoza786
Explorer
‎01-06-2016 03:55 PM

Hi,

I have the following sample field in my log.

filter=somename89898+20+O

I want to ideally extract 3 fields with + being separator, say:

name = somename89898
count = 20
state = O

However, + can also appear in the name, so I cannot use + to split, but here is what I know:

This will be in reverse (i.e. from last character):
The last character (one single character) of the field will always be an enum say {O or P}.
Previous to that, there will be one separator, and previous to that will be any number of digits.
Previous to that, there will be a separator, and anything that remains prior to that is the name field.

Another example to makes things clear:

filter=somename8+9898+20+O

Here, I want the following result:

name = somename8+9898
count = 20
state = O

Is there a way to achieve this?

Regards,
Aditya

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-06-2016 05:15 PM

Edit:

Lisa's answer is better:

filter\=(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$

You bet !

https://regex101.com/r/vJ2bE4/1

View solution in original post

Preview file
88 KB
Reply
Solved! Jump to solution

lguinn2
Legend
‎01-06-2016 05:53 PM

This forum may not be the best place to learn regular expressions, but I think this will do what you want

filter\=(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$

The above assumes that there is nothing on the line following the filter string. If you want to use this regular expression in a rex command, it would need to look like this

| rex field=filter "(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$"
Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-06-2016 05:15 PM

Edit:

Lisa's answer is better:

filter\=(?<name>\S+)\+(?<count>\d+?)\+(?<state>\S)$

You bet !

https://regex101.com/r/vJ2bE4/1

Preview file
88 KB
Reply
Solved! Jump to solution

adicoza786
Explorer
‎01-06-2016 05:54 PM

Thanks Iguinn.

0 Karma
Reply
Solved! Jump to solution

adicoza786
Explorer
‎01-06-2016 06:14 PM

The following too worked for me -

rex field=filter (?.*)\+(?\d+)\+(?O)
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...