Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to extract the value before a specific character using regex or rex?

leagawa
New Member
‎02-12-2018 02:34 PM

I would like to extract the string before the first period in the field using regex or rex

example: extract ir7utbws001 before the period .Feb-12-2016.043./dev/sdi and likewise in all these

ir7utbws001.Feb-12-2016.043./dev/sdi

ir7mojavs12.Feb-12-2016.043./dev/sda1

Gcase-field-ogs-batch-004-staging.dec-12-2016.043

sb7sdamb002.Feb-12-2016.043./dev/sdn

ebase73-ist-bat-002.Feb-12-2016.043./dev/sda1

ik2itpcp002.Feb-12-2016.043./dev/sda1

ebase-field-ods-batch-003.Feb-12-2016.043./dev/sdi

Leo-batch-001.Feb-12-2016.043./dev/sda1

0 Karma
Reply

mayurr98
Super Champion
‎02-12-2018 10:12 PM

hey try this run anywhere search

| makeresults 
| eval raw="ir7utbws001.Feb-12-2016.043./dev/sdi ir7mojavs12.Feb-12-2016.043./dev/sda1 Gcase-field-ogs-batch-004-staging.dec-12-2016.043 sb7sdamb002.Feb-12-2016.043./dev/sdn" 
| makemv raw 
| mvexpand raw 
| rex field=raw "^(?P<field_name>[^\.]+)"

In your environment you should write 

| rex  "^(?P<field_name>[^\.]+)"

let me know if this helps!

Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎02-12-2018 04:07 PM 
| rex "^(?<name_of_new_field>.+?)\."

Explanation:

^

Anchor to the beginning of the line.

(?<name_of_new_field> some regular expression )

This is just saying that whatever is in the parenthesis is a named capture group. Whatever you put between the < and > is the name of the new field. 

.+?

Grab anything . one or more times + until ? ...

\.

We find a literal dot \. - the backslash is to escape its normal meaning as a wildcard character.

Try checking out this link to validate it.
https://regex101.com/r/JvZ4fS/1

Try checking out https://regexone.com/ if you want to learn more about regular expressions.

Reply

cpetterborg
SplunkTrust
SplunkTrust
‎02-12-2018 04:21 PM

A vastly more efficient regex (roughly 5 time more efficient) is:

| rex "^(?<name_of_new_field>[^.]*)\."

The reason for the increase in efficiency is making the capture group look for something that is not a period and be greedy ( [^.]* ), not any character and be lazy ( .+? ).

0 Karma
Reply

siksaw33
Path Finder
‎05-27-2022 06:38 AM

Just curious.
How would this work if in the same example we have


ir7utbws001

as an entry

as there is no 'period' your code would extract this as null. I wanted to extract the whole field if there is no period

So basically what is alternative of

| eval temp=split(URL,".")
| eval Final=mvindex(temp,0)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...