Splunk Search

How to extract field with regex such as sentence with space

syokota_splunk
Splunk Employee
Splunk Employee

Hi regex masters,
Please help me.

Below are sample xml logs.

Incident Number: 151719935
    Date Of Incident: 12/02/2015 12:00:00 AM, Time of Incident: 2040
    Area Code: 17
    Area Name: Devonshire
    Road: 1782
Incident Number: 150920551
    Date Of Incident: 12/02/2015 12:00:00 AM, Time of Incident: 2000
    Area Code: 09
    Area Name: Van Nuys
    Road: 0915

And I'd like to extract "Area Name" field then I try to use below regex.

(Area Name: )(?P<area_name>\w+)

I succeed to get the value of 1st sample log but I cannot get 2nd sample log.

alt text

How do I get not only word without space also word with space?

Tags (1)
0 Karma
1 Solution

syokota_splunk
Splunk Employee
Splunk Employee

alt text

Finally I did it. It seems raw log has none "\n" code but have "\s".
Thanks all!

View solution in original post

0 Karma

syokota_splunk
Splunk Employee
Splunk Employee

alt text

Finally I did it. It seems raw log has none "\n" code but have "\s".
Thanks all!

0 Karma

jgbricker
Contributor

You could use a pattern that says anything not a colon continued and then add the colon.

[^\:]+\:

Then you can say not a new line continued [^\n]+

You would want to account for the comma. Putting it together would be something like
[^\:]+\:[^\n]+\n[^\:]+\:[^\,]+\,[^\:]+\:[^\n]+\n

You wrap the parts you want to extract and label them (?PPatternForValue)

The above pattern isnt complete I can finish it but it may help you to do that. Try using regex101.com. It explains what you are doing and finding

0 Karma

harsmarvania57
Ultra Champion

Hi,

Will you please try this regex (Area\sName:\s)(?P<area_name>.*) ?

0 Karma

syokota_splunk
Splunk Employee
Splunk Employee

Match every thing after "Area Name:" also Road and Crime Code too.

0 Karma

harsmarvania57
Ultra Champion

Try this (Area\sName:\s)(?P<area_name>.*)\n

0 Karma

syokota_splunk
Splunk Employee
Splunk Employee

Same issue is happen.

0 Karma

harsmarvania57
Ultra Champion

Based on sample data if I run below search it gives me Van Nuys only.

| makeresults 
| eval field1="Incident Number: 150920551
     Date Of Incident: 12/02/2015 12:00:00 AM, Time of Incident: 2000
     Area Code: 09
     Area Name: Van Nuys
     Road: 0915" 
| rex field=field1 "(?s)(Area\sName:\s)(?P<area_name>.*)\n"
0 Karma

syokota_splunk
Splunk Employee
Splunk Employee

Yes, your search can get it. But it seems raw log has no '\n' code after "Van Nuys".
Finally I figure out by your suggestion.
I put the screen shot on new comment.

0 Karma

harsmarvania57
Ultra Champion

That's great, in this case you can accept your own answer so this question will be closed.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...