Splunk Search

How do you make a regex field extraction to stop capture after underscore and last 2 digits?

almar_cabato
New Member

Hi,

I'm new to regex field extraction. I need a regex to capture only specific characters on my event source. I tried .car_(?.+20) but it gives me an output that I don't want:

Nam-Cluster_01_20
Nam-Cluster_02_20
Nam-Cluster_03_201902191052_20

Sample File Path:

 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190557_41794
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902191428_194444
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190754_194346
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190754_194346
 /path1/path2/path3/path4/path5/car_Nam-Cluster_03_201902191052_209807

Needed Output:

car_Nam-Cluster_01
car_Nam-Cluster_02
car_Nam-Cluster_03

Thank you!

0 Karma
1 Solution

marycordova
SplunkTrust
SplunkTrust

(?<my_field_name>car_\w+\-Cluster_\d{2})

this matches the exact string "car_somelettershere-Cluster_" (the \w+ part will match any alpha characters in the middle) and then will capture the next two {2} digits \d at the end of the string

also, just in case you haven't used/seen this before: https://regex101.com/

@marycordova

View solution in original post

0 Karma

paranjith
Explorer

Try this:

.*\/(?P<field>.*\_\d{2})\_.*$

,Try this:
.\/(?P._\d{2})_.*

0 Karma

marycordova
SplunkTrust
SplunkTrust

(?<my_field_name>car_\w+\-Cluster_\d{2})

this matches the exact string "car_somelettershere-Cluster_" (the \w+ part will match any alpha characters in the middle) and then will capture the next two {2} digits \d at the end of the string

also, just in case you haven't used/seen this before: https://regex101.com/

@marycordova
0 Karma

almar_cabato
New Member

Thank you very much! This works for me now. 🙂

0 Karma

almar_cabato
New Member

Thank you marycordova. This is almost close to what I'm looking for. But if my data changes to something like:

/path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_Nam-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_Asia-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_Asia-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_Asia-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_EMEA-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_EMEA-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_EMEA-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_India-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_India-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_India-Cluster_03_201902190559_41797

it only captures,

car_Nam-Cluster_01
car_Nam-Cluster_02
car_Nam-Cluster_03

but not,

car_Asia-Cluster_01
car_Asia-Cluster_02
car_Asia-Cluster_03
car_EMEA-Cluster_01
car_EMEA-Cluster_02
car_EMEA-Cluster_03
car_India-Cluster_01
car_India-Cluster_02
car_India-Cluster_03

Thank you!

0 Karma

marycordova
SplunkTrust
SplunkTrust

@almar_cabato try the new edit

also, if this works, please accept my answer as correct 🙂

@marycordova
0 Karma

reed_kelly
Contributor

It is not the most efficient, but you can use:

|rex field=foo "car_(?<new_field>.+?)_20"

instead. This added ? says to not be greedy.

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...