Solved: How to extract container name and ID from a log us...

pavanmishra0102 · ‎08-31-2020

(Item Id: 45) Container Name: Abc Admin Accounts (Container Id: 19) suid=1

need to extract Container name & Container id from the above partial log posted here using regex. Kindly help. Thanks in advance

rnowitzki · ‎08-31-2020

Hi @pavanmishra0102 ,

This should do it:

Container\sName:\s(?<container_name>.*)\((?<=\()Container\sId:\s(?<container_id>\d+)\)

BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.

View solution in original post

rnowitzki · ‎08-31-2020

Hi @pavanmishra0102 ,

This should do it:

Container\sName:\s(?<container_name>.*)\((?<=\()Container\sId:\s(?<container_id>\d+)\)

BR
Ralph
--
Karma and/or Solution tagging appreciated.

--
Karma and/or Solution tagging appreciated.

isoutamo · ‎08-31-2020

Hi

this helps you:

index=_internal
| head 1
| eval _raw ="(Item Id: 45) Container Name: Abc Admin Accounts (Container Id: 19) suid=1"
| rename COMMENT "Previous sets sample data, next line select values"
| rex "Container Name: (?<CName>[^\(]+)\(Container Id: (?<CId>\d+)"

r. Ismo

How to extract container name and ID from a log using regex?

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation