Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract data using regex?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to extract data using regex?
Hi All,
I Have data in below mentioned format.
I need to extract value CUP_Used and cup_used using regex and store it as a separate filed.
But in below mentioned pattern CUP_Used and cup_used is available in 2nd or 3rd place in unstructured data set. I need to extract only CUP_Used and cup_used.
[15330442604] DATA SHOW: Enter;LUV-127lE$131.CBE.data.com;CUP_Used;
[15330744495] DATA Thing: SVR~1232.CBE.data.com;CUP_Used;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;CUP_Used;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;cup_used;
[15380142481] DATA SHOW: En;cup_used;
I have used the below mentioned rex to extract CUP_Used and cup_used. But I'm getting values as mentioned below. But i don't need values like s,LUV etc . With single rex i need to extract the value CUP_Used and cup_used.
LUV
CUP_Used
s
s
cup_used
\d\d\]\s[^:]+:\s[^;]+;(?P<hard>[a-zA-Z_]+)
\d\d\]\s[^:]+:\s[^;]+;(?P<hard>[^;]+);
Thanks in advance..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
...|rex "(?P<hard>\w+);$"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for inconvenience caused. There are many data patterns are there. please find below for the sample.
[15330442604] DATA SHOW: Enter;LUV-127lE$131.CBE.data.com;CUP_Used;
[15330744495] DATA Thing: SVR~1232.CBE.data.com;CUP_Used;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;CUP_Used;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;cup_used;
[15380142481] DATA SHOW: En;cup_used;
[15330442604] DATA SHOW: Enter;LUV-127lE$131.CBE.data.com;datat;Splunk;
[15330744495] DATA Thing: SVR~1232.CBE.data.com En;min;max;splunk1
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;working;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;cup_used;
[15380142481] DATA SHOW: En;cup_used;
needed values : cup_used,CUP_Used,Splunk,splunk1,working.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
updated the answer ..please try above
this answer work if every line is one separate event
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@493669,
No its not working..
[15330442604] DATA SHOW: Enter;LUV-127lE$131.CBE.data.com;CUP_Used;
[15330744495] DATA Thing: SVR~1232.CBE.data.com;CUP_Used;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;CUP_Used;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;cup_used;
[15380142481] DATA SHOW: En;cup_used;
[15330442604] DATA SHOW: Enter;LUV-127lE$131.CBE.data.com;datat;Splunk;
[15330744495] DATA Thing: SVR~1232.CBE.data.com En;min;max;splunk1
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;working;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;cup_used;
[15380142481] DATA SHOW: En;cup_used;Retre;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;working;data;
[15380142481] DATA SHOW: Enter@FFDDEEF;s99vNN147.CBE.data.com;working;data;sdhgfsd;dshhd
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You keep coming up with new sample patterns. You'll really need to come up with a clear definition of what you want to extract, in order for anyone to come up with a working regex.
For starters: please be more clear than "its not working". What results do you get and which of those are correct and which are not?
From your earlier explanations, it seemed as if you want to capture the last 'field' in the line, but apparently that is not entirely the case? If you just want to check for the presence of one of those words you now mentioned (cup_used,CUP_Used,Splunk,splunk1,working), then try this:
| rex "(?<hard>cup_used|CUP_Used|Splunk|splunk1|working)"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
