Solved: Re: How to combine multiple rex expressions and re... - Page 2

IRHM73 · ‎07-15-2015

Hi, I wonder if someone could help me please.

I'm currently using the following to extract certain fields contained with the events raw data.

| rex "Address Line 1=(?<address1>[^,]*)"  | rex "Address Line 2=(?<address2>[^,]*)"  | rex "Address Line 3=(?<address3>[^,]*)"  | rex "Address Line 4=(?<address4>[^,]*)"  | rex "Postcode=(?<postcode>[^,]*)"  |

But to cut down on the number of searches, I'm trying to join the rex expressions together, so using the inbuilt field extractor I've come up with the following:

rex "^(?:[^=\n]*=){6}(?P<Address_Line_1>[^=]+)[^ \n]* (?P<Address_Line_2>[^=]+)=,\s+(?P<Address_Line_3>\w+\s+\w+\s+\d+)=,\s+(?P<Address_Line_4>[^=]+)=,\s+\w+\s+(?P<Postcode>[^=]+)" |

But I'm having a little difficulty in replicating this part of the original rex expressions

 (?<address1>

where I'm renaming the field with the aim of then using an eval expression to create a combined Address field.

Could someone perhaps have a look at this please and offer some guidance on how may go about achieving this.
Many thanks and kind regards

Chris

woodcock · ‎07-17-2015

Assuming that the OP has given sample data THAT DOES NOT MATCH his real data and that there is "something" before the text that HE SAID was sample data, this should work:

 ... | rex ".*?Address Line 1=(?<address1>[^\,]*)[^=]*=(?<address2>[^,]*)[^=]*=(?<address3>[^\,]*)[^=]*=(?<address4>[^\,]*)[^=]*=(?<Postcode>[\w]*)"

View solution in original post

IRHM73 · ‎07-16-2015

Hi @woodcock, thank you for coming back to me with this.

Unfortunately this doesn't work.

If you look at my original post, the expression was as follows: rex "Address Line 1=(?[^,]*)".

With this, the expression searches for 'Address_Line_1' which is how the field is formatted in the raw data and then the second part renames this to 'adddress1'.

In the query you kindly provided, this only looks for 'Address_Line_1' it doesn't rename this.

Many thanks and kind regards

Chris

woodcock · ‎07-16-2015

Chris, did you actually try the After command? I believe you are misunderstanding the RegEx. The string between the angle-brackets is the NAME of the captured group. It seems that you are assuming that because the literal string "Address Line " is not present in my RegEx, that it cannot work, but this is incorrect. I can match it based on the placement and ordering of the equals-signs also, which is what the RegEx is doing. Just try it.

jeffland · ‎07-16-2015

Your "sample" is just what I wanted, of course you don't have to post actual content - just the form of it. Have a look at this:

[^\=]*\=(?<Address_Line_1>[^\,]*)[^\=]*\=(?<Address_Line_2>[^,]*)[^\=]*\=(?<Address_Line_3>[^\,]*)[^\=]*\=(?P<Address_Line_4>[^\,]*)[^\=]*\=(?<Postcode>[\w]*)

I was curious to see a sample because the regex the field extractor built looked weird.

IRHM73 · ‎07-16-2015

Hi @jeffland, thank you for coming back to me with this.

The expression works, but it doesn't change for example 'Address Line 1' to 'address1' as per my original post.

Many thanks and kind regards

Chris

jeffland · ‎07-16-2015

Ok, then just rename the capturing group in question - i.e. rename

[^\=]*\=(?<Address_Line_1>[^\,]*) ...

to

[^\=]*\=(?<address1>[^\,]*) ...

IRHM73 · ‎07-16-2015

Hi @jeffland, thank you for coming back to me, but unfortuantely this doens't work, because the expression is not looking for 'Address_Line_1' before renaming it.

If you look at my original expression: rex "Address Line 1=(?[^,]*)" the first part looks for the 'Address_Line_1' field, then it renames this to 'address1' which I can then pick up lateron in my query to pull all the address details together.

Many thanks and kind regards

Chris

jeffland · ‎07-16-2015

That's not how rex works. The command extracts something from an existing string and can place selected parts of that under any name in a field.

I just tried to smarten up your initial regex by not using the rigid "Address Line 1=", but you could of course keep that rigid format:

Address\sLine\s1\=(?<address1>[^\,]*)Address\sLine\2\=(?<address2>[^,]*)...

landen99 · ‎07-20-2015

I know, right. Does the answer have to be spoon-fed to him?

dineshraj9 · ‎07-16-2015

Try this -

| rex "Address Line 1=(?[^,]*)\,\s*Address Line 2=(?[^,]*)\,\s*Address Line 3=(?[^,]*)\,\s*Address Line 4=(?[^,]*)\,\s*Postcode=(?[^,]*)"

dineshraj9 · ‎07-16-2015

| rex "Address Line 1=(?<addressline1>[^,]*)\,\s*Address Line 2=(?<addressline2>[^,]*)\,\s*Address Line 3=(?<addressline3>[^,]*)\,\s*Address Line 4=(?<addressline4>[^,]*)\,\s*Postcode=(?postcode[^,]*)"

IRHM73 · ‎07-16-2015

Hi @ddineshraj9, thank you for coming back to me with this, but unfortunately I'm still receiving the following error:

Error in 'rex' command: Encountered the following error while compiling the regex 'Address Line 1=(?[^,]*)\,\s*Address Line 2=(?[^,]*)\,\s*Address Line 3=(?[^,]*)\,\s*Address Line 4=(?[^,]*)\,\s*Postcode=(?postcode[^,]*)': Regex: unrecognized character after (? or (?-

Many thanks and kind regards

Chris

ppablo · ‎07-16-2015

Hi @dineshraj9

Please don't post multiple answers on one question. If you're trying to add more content, just comment below your original answer. Also, it's helpful if you explain your searches to the user (and everyone else reading this post) rather than just copying and pasting it without context. I've converted your other 2 answers under your first one already, so something to keep in mind for the future. Thanks.

dineshraj9 · ‎07-16-2015

@ppablo : I really don't understand why I keep getting messages that moderator would review the post and once they approve it will show up.
Ya will ensure that I explain my answers. But please improve the portal to not crash when uploading answers and moderators to be quick in reviewing the answers and uploading it..
Thanks!!!

ppablo · ‎07-21-2015

Hey @dineshraj9

There has been a wave of hundreds of spam hitting the site daily in the past several weeks, so admins have had to adjust spam filter settings and have the developers work on improving/creating tools for more flexibility to not flag false positives. One of the settings was a special character percentage setting which probably caught some of your posts that were heavy with regular expression characters. My job is to relay what's happening with users activity since I monitor and edit content for the site, so thanks for your patience while we get things situated and being an actively engaged community member 🙂

Patrick

dineshraj9 · ‎07-16-2015

| rex "Address Line 1=(?<addressline1>[^,]*)\,\s*Address Line 2=(?<addressline2>[^,]*)\,\s*Address Line 3=(?<addressline3>[^,]*)\,\s*Address Line 4=(?<addressline4>[^,]*)\,\s*Postcode=(?postcode[^,]*)"

IRHM73 · ‎07-16-2015

Hi thank you for taking the time to reply to my post.

I've tried the expression you kindly provided, and unfortunately I'm receiving the following error:

Error in 'rex' command: Encountered the following error while compiling the regex 'Address Line 1=(?[^,]*)\,\s*Address Line 2=(?[^,]*)\,\s*Address Line 3=(?[^,]*)\,\s*Address Line 4=(?[^,]*)\,\s*Postcode=(?[^,]*)': Regex: unrecognized character after (? or (?-

In additon, and forgive me, but am I right in thinking that this won't for example find 'Address Line 1' and then change it to 'address1' as per my original query.

Many thanks and kind regards

Chris

IRHM73 · ‎07-16-2015

Hi @jeffland, thank you for taking the time to reply to my post.

Unfortunately I'm unable to provide you with event details because of their confidential nature, but the address lines are in the following format:

Address Line 1=1The Street, Address Line 2=The Town, Address Line 3=, Address Line 4=The City, Postcode=AB12CD

I'm not sure whether this helps.

Many thanks and kind regards

Chris

jeffland · ‎07-15-2015

A sample of such an event would be helpful. Also, is there a reason you want to use rex instead of automatic field extractions?

How to combine multiple rex expressions and rename the field for an eval expression?

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!