Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract all fields between a word and two specific characters in a string?

royimad
Builder
‎05-20-2016 05:04 AM

I have a text as following:

Hello OFF anything blah blah & ^ anything -   )<  OFF anything blo blo & ^ ble -  )< OFF  anything bli bli & ^ ble -  )<

I need to extract all the fields that start with OFF and end with 2 characters )<
In my case, 3 fields need to be extracted.

I wrote a search, but it's only extracting the first occurrence while I want to extract all the fields

 sourcetype=imap OFF | rex field=_raw "OFF (?<myfields>.*?)\)\<"
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎05-20-2016 06:08 AM

This should work (use only the rex command segment)

| gentimes start=-1 | eval _raw="Hello OFF anything blah blah & ^ anything - )< OFF anything blo blo & ^ ble - )< OFF anything bli bli & ^ ble - )<" | rex max_match=0 field=_raw "OFF\s(?<field>[^\)]+)" | table field

View solution in original post

Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎05-20-2016 06:08 AM

This should work (use only the rex command segment)

| gentimes start=-1 | eval _raw="Hello OFF anything blah blah & ^ anything - )< OFF anything blo blo & ^ ble - )< OFF anything bli bli & ^ ble - )<" | rex max_match=0 field=_raw "OFF\s(?<field>[^\)]+)" | table field
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-20-2016 05:15 AM

How about this?

  rex "(?ms)(?<=OFF )(?<myFields>.*)(?=\)\>)"

If that doesn't work, try it without (?ms).

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-20-2016 05:18 AM

You might also have to break the source data into one event per line.

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎05-20-2016 05:35 AM

Your regular expression select the field started by OFF and ended with )< into one field but it did not split it into 3 fields , i can't break the source data into one event per line ( its an email while i'm trying to decode )

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-20-2016 06:07 AM

Did it split the desired fields by spaces but into just one field?

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎05-20-2016 06:17 AM

If so we can fix it from there.

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎05-31-2016 12:16 AM

Thanks you.

0 Karma
Reply
Solved! Jump to solution

royimad
Builder
‎05-20-2016 05:38 AM

I also try it without ms ( the result is the same, one field was selected as following:
Field started with the first concurrence of OFF and ending with the last occurrence of )>

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...