Splunk Search

How to extract the value before a specific character using regex or rex?

New Member

I would like to extract the string before the first period in the field using regex or rex

example: extract ir7utbws001 before the period .Feb-12-2016.043./dev/sdi and likewise in all these

ir7utbws001.Feb-12-2016.043./dev/sdi

ir7mojavs12.Feb-12-2016.043./dev/sda1

Gcase-field-ogs-batch-004-staging.dec-12-2016.043

sb7sdamb002.Feb-12-2016.043./dev/sdn

ebase73-ist-bat-002.Feb-12-2016.043./dev/sda1

ik2itpcp002.Feb-12-2016.043./dev/sda1

ebase-field-ods-batch-003.Feb-12-2016.043./dev/sdi

Leo-batch-001.Feb-12-2016.043./dev/sda1

0 Karma

SplunkTrust
SplunkTrust

hey try this run anywhere search

| makeresults 
| eval raw="ir7utbws001.Feb-12-2016.043./dev/sdi ir7mojavs12.Feb-12-2016.043./dev/sda1 Gcase-field-ogs-batch-004-staging.dec-12-2016.043 sb7sdamb002.Feb-12-2016.043./dev/sdn" 
| makemv raw 
| mvexpand raw 
| rex field=raw "^(?P<field_name>[^\.]+)"

In your environment you should write

| rex  "^(?P<field_name>[^\.]+)"

let me know if this helps!

Splunk Employee
Splunk Employee
| rex "^(?<name_of_new_field>.+?)\."

Explanation:

^

Anchor to the beginning of the line.

(?<name_of_new_field> some regular expression )

This is just saying that whatever is in the parenthesis is a named capture group. Whatever you put between the < and > is the name of the new field.

.+?

Grab anything . one or more times + until ? ...

\.

We find a literal dot \. - the backslash is to escape its normal meaning as a wildcard character.

Try checking out this link to validate it.
https://regex101.com/r/JvZ4fS/1

Try checking out https://regexone.com/ if you want to learn more about regular expressions.

0 Karma

SplunkTrust
SplunkTrust

A vastly more efficient regex (roughly 5 time more efficient) is:

| rex "^(?<name_of_new_field>[^.]*)\."

The reason for the increase in efficiency is making the capture group look for something that is not a period and be greedy ( [^.]* ), not any character and be lazy ( .+? ).

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!