Solved: Re: How to extract a sequence from this log with r...

splunk2019tlmd · ‎04-08-2020

I have this log :

        <LST>
      <S>Watch</S>
      <S>Move</S>
      <S>Delete</S>
      <S>Flip</S>
    </LST>

And I want to extract this part with rex syntax :

  <S>Watch</S>
      <S>Move</S>
      <S>Delete</S>
      <S>Flip</S>

But I am not having success , I think is because the specials characters.

Thank you in advance

to4kawa · ‎04-08-2020

| rex max_match=0 "(?<attr>\<\w\>\w+\<\/\w\>)"

use \ (back slash)

View solution in original post

to4kawa · ‎04-08-2020

| rex max_match=0 "(?<attr>\<\w\>\w+\<\/\w\>)"

use \ (back slash)

splunk2019tlmd · ‎04-08-2020

It works but the outputs is one line, in case I want the sequence (Move Delete Flip) ) in one line, I guess I have to replicate the example. Thank you

to4kawa · ‎04-08-2020

 ....
| eval sequence=mvjoin(attr," ")

try this

How to extract a sequence from this log with rex command

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How to extract a sequence from this log with rex command

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?