Splunk Search

How to extract all fields between a word and two specific characters in a string?

royimad
Builder

I have a text as following:

Hello OFF anything blah blah & ^ anything -   )<  OFF anything blo blo & ^ ble -  )< OFF  anything bli bli & ^ ble -  )<

I need to extract all the fields that start with OFF and end with 2 characters )<
In my case, 3 fields need to be extracted.

I wrote a search, but it's only extracting the first occurrence while I want to extract all the fields

 sourcetype=imap OFF | rex field=_raw "OFF (?<myfields>.*?)\)\<"
0 Karma
1 Solution

sundareshr
Legend

This should work (use only the rex command segment)

| gentimes start=-1 | eval _raw="Hello OFF anything blah blah & ^ anything - )< OFF anything blo blo & ^ ble - )< OFF anything bli bli & ^ ble - )<" | rex max_match=0 field=_raw "OFF\s(?<field>[^\)]+)" | table field

View solution in original post

sundareshr
Legend

This should work (use only the rex command segment)

| gentimes start=-1 | eval _raw="Hello OFF anything blah blah & ^ anything - )< OFF anything blo blo & ^ ble - )< OFF anything bli bli & ^ ble - )<" | rex max_match=0 field=_raw "OFF\s(?<field>[^\)]+)" | table field

jkat54
SplunkTrust
SplunkTrust

How about this?

  rex "(?ms)(?<=OFF )(?<myFields>.*)(?=\)\>)"

If that doesn't work, try it without (?ms).

0 Karma

jkat54
SplunkTrust
SplunkTrust

You might also have to break the source data into one event per line.

0 Karma

royimad
Builder

Your regular expression select the field started by OFF and ended with )< into one field but it did not split it into 3 fields , i can't break the source data into one event per line ( its an email while i'm trying to decode )

0 Karma

jkat54
SplunkTrust
SplunkTrust

Did it split the desired fields by spaces but into just one field?

0 Karma

jkat54
SplunkTrust
SplunkTrust

If so we can fix it from there.

0 Karma

royimad
Builder

Thanks you.

0 Karma

royimad
Builder

I also try it without ms ( the result is the same, one field was selected as following:
Field started with the first concurrence of OFF and ending with the last occurrence of )>

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...