Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a dynamic String that is comma delimited (it comes directly after a constant)?

lordhans
Explorer
‎11-13-2017 03:25 PM

The Splunk logs I'm working with are big and don't come with any predefined useful fields. I want to extract a dynamic String that is delimited by two commas and comes directly after a constant.

Here is an example:

~someMethodHere,0000-CODE012 ,ClientID,NA,6728233,

The "~someMethodHere,0000-CODE012" will be a constant and is what I am using in the search query. Directly after the constant is a space, then a comma, then the ClientID, then another comma. I want to extract "ClientID". The ClientID is dynamic and can be any letters or numbers. Also, the "~someMethodHere,0000-CODE012 ,ClientID,NA,6728233," example is surrounded by lots of other logging info that is irrelevant to this particular detail.

I think I should use a regex here but I'm not sure how to only start the regex AFTER "~someMethodHere,0000-CODE012 ," and then delimit using the following comma. Would really appreciate any help here.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎11-13-2017 04:43 PM

~someMethodHere,0000-CODE012 ,(?<client_id>[^,]+),

The only real logic here is [^,] which matches anything except a comma. The regex matches one or more of those characters followed by a comma.

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎11-13-2017 04:43 PM

~someMethodHere,0000-CODE012 ,(?<client_id>[^,]+),

The only real logic here is [^,] which matches anything except a comma. The regex matches one or more of those characters followed by a comma.

Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎11-13-2017 04:26 PM

The regex for the example data that you have above would likely be something like:

someMethodHere,0000-CODE012 ,(?P<clientid>[^,]*),

Depending on your use of the above regex, you may have to modify it slightly, but if you use a rex command, that should work.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...