Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to generate a regular expression that extracts a field in my event data?

jeck11
Path Finder
‎02-24-2017 06:39 AM

I need to do a field extraction for everything after the ) to the end of the first line. I've tried about every regex I can think of to signify EOL but nothing seems to work so far.

Here is an event sample:
2017-02-22T18:01:04 | Creating request for https://0.0.0.0/images/logo.gif (msecure.company.com) Mobile US Site1 VIP
2017-02-22T18:01:04 | Information SSL1399 - The certificate is valid.; Data: Mobile US Site1 VIP; URL: https://0.0.0.0/images/logo.gif; Domain: msecure.company.com; Expiration: 08/10/2018 08:00:00

So for this event I would want this field to be "Mobile US Site1 VIP".

I'm sure I'm messing something up. Thanks in advanced!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrballesteros05
Communicator
‎02-24-2017 11:51 AM

Hi, sorry if I misunderstood.

Is that a multiline event? If so, you should use this one: 

.*?\)\s+(?P<description>.*?)\n

View solution in original post

Reply
Solved! Jump to solution
Solution

jrballesteros05
Communicator
‎02-24-2017 11:51 AM

Hi, sorry if I misunderstood.

Is that a multiline event? If so, you should use this one: 

.*?\)\s+(?P<description>.*?)\n
Reply
Solved! Jump to solution

jeck11
Path Finder
‎02-24-2017 11:55 AM

YES! That did it. Thanks!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-24-2017 01:09 PM

@Jeck11, glad @jrballesteros05's answer provided a working solution to your question? Please don't forget to resolve this post by clicking "Accept".

0 Karma
Reply
Solved! Jump to solution

jrballesteros05
Communicator
‎02-24-2017 11:34 AM

This one seems to work for me: 

 .*?\)\s+(?P<description>.*)
0 Karma
Reply
Solved! Jump to solution

jeck11
Path Finder
‎02-24-2017 11:45 AM

Yeah. That's what I came up with when using an external site like https://www.regex101.com/. Unfortunately, when I try that in Splunk it begins at the correct spot but goes all the way to the end of the last line instead of stopping at the end of line 1.

2017 02 24 14 39 09 Online regex tester and debugger PHP PCRE Python Golang and Java Script

0 Karma
Reply
Solved! Jump to solution

pkeller
Contributor
‎02-24-2017 11:52 AM

So your example is a multi-line event? .... This might work: ^.[^)]+)\s+(?P.+)\n?

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎02-24-2017 10:03 AM

Is this what you are trying to do?

(?:^)(?:[^\)]+\)\s)(.+)
0 Karma
Reply
Solved! Jump to solution

jeck11
Path Finder
‎02-24-2017 10:14 AM

Your regex doesn't appear to select anything when I try it.

Here is the regex that Splunk gives me when I try and do it through the wizard:

^[^\)\n]*\)\s+(?P<description>\w+\s+\w+\s+\w+\s+\w+)

This will select anything up to a special character but the final field could have a dash ("-") in it and I can't control how long it is either.

0 Karma
Reply
Solved! Jump to solution

pkeller
Contributor
‎02-24-2017 10:48 AM

This seems to work at: https://www.regex101.com/

^.[^)]+)\s+(?P.+)

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...