Re: How to extract the field by using regex?

Peru123 · ‎12-08-2022

Hi , I need to extract the value FISOBPIT10101 from the below lines.

message:PSUS7|8897|FISOBPIT10101|OWA|8897|8897|SignOnID|SPT|adding routing key in producer

yuanliu · ‎12-08-2022

Depending on whether the leading phrase "message" and the trailing phrases such as "adding routing key in producer" are important, you can use rex or just

If those phrases are unimportant, use split. It is more efficient.

| eval of_interest = mvindex(split(your_field, "|"), 2)

If the first phrase and the last are important,

| rex field=your_field "message:(\d+|){2}(?<of_interest>\w+)(|\d+){5}|adding routing key in producer"

ITWhisperer · ‎12-08-2022

| rex "([^|]+\|){2}(?<field>[^|]+)"

https://regex101.com/r/UTPJb4/1

Peru123 · ‎12-08-2022

Hi , I need this value only FISOBPIT10101

ITWhisperer · ‎12-08-2022

| rex "([^|]+\|){2}(?<field>FISOBPIT10101)"

StefanoA · ‎12-08-2022

You could go with | erex , if you're not expert with RegExs.

Otherwise, assuming the value is always in that position and not assuming a specific set of alphanumeric values, go with the following (13 steps per log, very efficient)

| rex field=<yourFieldOr_raw> "^(?:[^\|\v]*+\|){2}(?<yourValue>[^\|\v]*)"

How to extract the field by using regex?

regex

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

How to extract the field by using regex?

regex

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers