Splunk Search

How to create a regex to extract fields between two hyphens?

Explorer

Hi,help me in writing regex to extract field between two hyhpens.

Eg: S-STRA-32
F-FIDR-67

Thanks!

0 Karma
1 Solution

Esteemed Legend

Add this to your search:

... | rex max_match=0 "(?<=-)(?<betweenHyphens>[^-]+)(?=-)"

This captures multiples, even sequentials like when you do this, which the others do not:

|makeresults | eval _raw="foo-bar-bat-boo"
| rex max_match=0 "(?<=-)(?<betweenHyphens>[^-]+)(?=-)"

View solution in original post

0 Karma

Esteemed Legend

Add this to your search:

... | rex max_match=0 "(?<=-)(?<betweenHyphens>[^-]+)(?=-)"

This captures multiples, even sequentials like when you do this, which the others do not:

|makeresults | eval _raw="foo-bar-bat-boo"
| rex max_match=0 "(?<=-)(?<betweenHyphens>[^-]+)(?=-)"

View solution in original post

0 Karma

Champion

Hi

Try this

| makeresults 
| eval str="F-FIDR-67" 
| eval result = mvindex(split(str,"-"),1)
0 Karma

New Member
   | rex field=<yourfield> "\-(?P<field_name>\w+)\-"
0 Karma

Motivator

Hello @Deepz2612,

Please try regex: -(?<your_field>.*)-. You will get value between two hyphen in "your_field" field.

This will work but if you have further information about elements on both side of hyphen you can make regex faster. For example I'm assuming we have only one characters on left side of hyphen and some digits on right side of hyphen we can use regex: [a-zA-Z]-(?<your_field>.*)-\d+.

Hope this helps!!!

0 Karma

SplunkTrust
SplunkTrust

Hi,

Please try below regex, it will extract data in new field called extracted_field

<yourBaseSearch>
| rex field=<yourfield> "^[^\-]+\-(?<extracted_field>[^\-]+)\-"