Re: How to extract the field by using regex

Peru123 · ‎12-08-2022

Hi , I need to extract the value FISOBPIT10101 from the below lines.

message:PSUS7|8897|FISOBPIT10101|OWA|8897|8897|SignOnID|SPT|adding routing key in producer

yuanliu · ‎12-08-2022

Depending on whether the leading phrase "message" and the trailing phrases such as "adding routing key in producer" are important, you can use rex or just

If those phrases are unimportant, use split. It is more efficient.

| eval of_interest = mvindex(split(your_field, "|"), 2)

If the first phrase and the last are important,

| rex field=your_field "message:(\d+|){2}(?<of_interest>\w+)(|\d+){5}|adding routing key in producer"

ITWhisperer · ‎12-08-2022

| rex "([^|]+\|){2}(?<field>[^|]+)"

https://regex101.com/r/UTPJb4/1

Peru123 · ‎12-08-2022

Hi , I need this value only FISOBPIT10101

ITWhisperer · ‎12-08-2022

| rex "([^|]+\|){2}(?<field>FISOBPIT10101)"

StefanoA · ‎12-08-2022

You could go with | erex , if you're not expert with RegExs.

Otherwise, assuming the value is always in that position and not assuming a specific set of alphanumeric values, go with the following (13 steps per log, very efficient)

| rex field=<yourFieldOr_raw> "^(?:[^\|\v]*+\|){2}(?<yourValue>[^\|\v]*)"

How to extract the field by using regex?

regex

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

How to Send Splunk Observability Alerts to Webex teams in Minutes

Are you a member of the Splunk Community?

How to extract the field by using regex?

regex

Cultivate Your Career Growth with Fresh Splunk Training

Introducing a Smarter Way to Discover Apps on Splunkbase

How to Send Splunk Observability Alerts to Webex teams in Minutes