Splunk Search

How do you make a regex field extraction to stop capture after underscore and last 2 digits?

almar_cabato
New Member

Hi,

I'm new to regex field extraction. I need a regex to capture only specific characters on my event source. I tried .car_(?.+20) but it gives me an output that I don't want:

Nam-Cluster_01_20
Nam-Cluster_02_20
Nam-Cluster_03_201902191052_20

Sample File Path:

 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190557_41794
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902191428_194444
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190754_194346
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190754_194346
 /path1/path2/path3/path4/path5/car_Nam-Cluster_03_201902191052_209807

Needed Output:

car_Nam-Cluster_01
car_Nam-Cluster_02
car_Nam-Cluster_03

Thank you!

0 Karma
1 Solution

marycordova
SplunkTrust
SplunkTrust

(?<my_field_name>car_\w+\-Cluster_\d{2})

this matches the exact string "car_somelettershere-Cluster_" (the \w+ part will match any alpha characters in the middle) and then will capture the next two {2} digits \d at the end of the string

also, just in case you haven't used/seen this before: https://regex101.com/

@marycordova

View solution in original post

0 Karma

paranjith
Explorer

Try this:

.*\/(?P<field>.*\_\d{2})\_.*$

,Try this:
.\/(?P._\d{2})_.*

0 Karma

marycordova
SplunkTrust
SplunkTrust

(?<my_field_name>car_\w+\-Cluster_\d{2})

this matches the exact string "car_somelettershere-Cluster_" (the \w+ part will match any alpha characters in the middle) and then will capture the next two {2} digits \d at the end of the string

also, just in case you haven't used/seen this before: https://regex101.com/

@marycordova
0 Karma

almar_cabato
New Member

Thank you very much! This works for me now. 🙂

0 Karma

almar_cabato
New Member

Thank you marycordova. This is almost close to what I'm looking for. But if my data changes to something like:

/path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_Nam-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_Asia-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_Asia-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_Asia-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_EMEA-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_EMEA-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_EMEA-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_India-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_India-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_India-Cluster_03_201902190559_41797

it only captures,

car_Nam-Cluster_01
car_Nam-Cluster_02
car_Nam-Cluster_03

but not,

car_Asia-Cluster_01
car_Asia-Cluster_02
car_Asia-Cluster_03
car_EMEA-Cluster_01
car_EMEA-Cluster_02
car_EMEA-Cluster_03
car_India-Cluster_01
car_India-Cluster_02
car_India-Cluster_03

Thank you!

0 Karma

marycordova
SplunkTrust
SplunkTrust

@almar_cabato try the new edit

also, if this works, please accept my answer as correct 🙂

@marycordova
0 Karma

reed_kelly
Contributor

It is not the most efficient, but you can use:

|rex field=foo "car_(?<new_field>.+?)_20"

instead. This added ? says to not be greedy.

0 Karma
Get Updates on the Splunk Community!

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...

Introducing New Splunkbase Governance!

Splunk apps are essential for maximizing the value of your Splunk Experience. Whether you’re using the default ...

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...