Splunk Search

How to extract the value before a specific character using regex or rex?

leagawa
New Member

I would like to extract the string before the first period in the field using regex or rex

example: extract ir7utbws001 before the period .Feb-12-2016.043./dev/sdi and likewise in all these

ir7utbws001.Feb-12-2016.043./dev/sdi

ir7mojavs12.Feb-12-2016.043./dev/sda1

Gcase-field-ogs-batch-004-staging.dec-12-2016.043

sb7sdamb002.Feb-12-2016.043./dev/sdn

ebase73-ist-bat-002.Feb-12-2016.043./dev/sda1

ik2itpcp002.Feb-12-2016.043./dev/sda1

ebase-field-ods-batch-003.Feb-12-2016.043./dev/sdi

Leo-batch-001.Feb-12-2016.043./dev/sda1

0 Karma

mayurr98
Super Champion

hey try this run anywhere search

| makeresults 
| eval raw="ir7utbws001.Feb-12-2016.043./dev/sdi ir7mojavs12.Feb-12-2016.043./dev/sda1 Gcase-field-ogs-batch-004-staging.dec-12-2016.043 sb7sdamb002.Feb-12-2016.043./dev/sdn" 
| makemv raw 
| mvexpand raw 
| rex field=raw "^(?P<field_name>[^\.]+)"

In your environment you should write

| rex  "^(?P<field_name>[^\.]+)"

let me know if this helps!

aljohnson_splun
Splunk Employee
Splunk Employee
| rex "^(?<name_of_new_field>.+?)\."

Explanation:

^

Anchor to the beginning of the line.

(?<name_of_new_field> some regular expression )

This is just saying that whatever is in the parenthesis is a named capture group. Whatever you put between the < and > is the name of the new field.

.+?

Grab anything . one or more times + until ? ...

\.

We find a literal dot \. - the backslash is to escape its normal meaning as a wildcard character.

Try checking out this link to validate it.
https://regex101.com/r/JvZ4fS/1

Try checking out https://regexone.com/ if you want to learn more about regular expressions.

cpetterborg
SplunkTrust
SplunkTrust

A vastly more efficient regex (roughly 5 time more efficient) is:

| rex "^(?<name_of_new_field>[^.]*)\."

The reason for the increase in efficiency is making the capture group look for something that is not a period and be greedy ( [^.]* ), not any character and be lazy ( .+? ).

0 Karma

siksaw33
Path Finder

Just curious.
How would this work if in the same example we have


ir7utbws001

as an entry

as there is no 'period' your code would extract this as null. I wanted to extract the whole field if there is no period

So basically what is alternative of

| eval temp=split(URL,".")
| eval Final=mvindex(temp,0)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...