Solved: Re: How do you make a regex field extraction to st...

almar_cabato · ‎02-19-2019

Hi,

I'm new to regex field extraction. I need a regex to capture only specific characters on my event source. I tried .car_(?.+20) but it gives me an output that I don't want:

Nam-Cluster_01_20
Nam-Cluster_02_20
Nam-Cluster_03_201902191052_20

Sample File Path:

 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
 /path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190557_41794
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902191428_194444
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190754_194346
 /path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190754_194346
 /path1/path2/path3/path4/path5/car_Nam-Cluster_03_201902191052_209807

Needed Output:

car_Nam-Cluster_01
car_Nam-Cluster_02
car_Nam-Cluster_03

Thank you!

marycordova · ‎02-19-2019

(?<my_field_name>car_\w+\-Cluster_\d{2})

this matches the exact string "car_somelettershere-Cluster_" (the \w+ part will match any alpha characters in the middle) and then will capture the next two {2} digits \d at the end of the string

also, just in case you haven't used/seen this before: https://regex101.com/

@marycordova

View solution in original post

paranjith · ‎02-19-2019

Try this:

.*\/(?P<field>.*\_\d{2})\_.*$

,Try this:
.\/(?P._\d{2})_.*

marycordova · ‎02-19-2019

(?<my_field_name>car_\w+\-Cluster_\d{2})

this matches the exact string "car_somelettershere-Cluster_" (the \w+ part will match any alpha characters in the middle) and then will capture the next two {2} digits \d at the end of the string

also, just in case you haven't used/seen this before: https://regex101.com/

@marycordova

almar_cabato · ‎02-20-2019

Thank you very much! This works for me now. 🙂

almar_cabato · ‎02-19-2019

Thank you marycordova. This is almost close to what I'm looking for. But if my data changes to something like:

/path1/path2/path3/path4/path5/car_Nam-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_Nam-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_Nam-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_Asia-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_Asia-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_Asia-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_EMEA-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_EMEA-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_EMEA-Cluster_03_201902190559_41797
/path1/path2/path3/path4/path5/car_India-Cluster_01_201902190559_41795
/path1/path2/path3/path4/path5/car_India-Cluster_02_201902190559_41796
/path1/path2/path3/path4/path5/car_India-Cluster_03_201902190559_41797

it only captures,

car_Nam-Cluster_01
car_Nam-Cluster_02
car_Nam-Cluster_03

but not,

car_Asia-Cluster_01
car_Asia-Cluster_02
car_Asia-Cluster_03
car_EMEA-Cluster_01
car_EMEA-Cluster_02
car_EMEA-Cluster_03
car_India-Cluster_01
car_India-Cluster_02
car_India-Cluster_03

Thank you!

marycordova · ‎02-20-2019

@almar_cabato try the new edit

also, if this works, please accept my answer as correct 🙂

@marycordova

reed_kelly · ‎02-19-2019

It is not the most efficient, but you can use:

|rex field=foo "car_(?<new_field>.+?)_20"

instead. This added ? says to not be greedy.

How do you make a regex field extraction to stop capture after underscore and last 2 digits?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!