Splunk Search

How to generate a regular expression that extracts a field in my event data?

jeck11
Path Finder

I need to do a field extraction for everything after the ) to the end of the first line. I've tried about every regex I can think of to signify EOL but nothing seems to work so far.

Here is an event sample:
2017-02-22T18:01:04 | Creating request for https://0.0.0.0/images/logo.gif (msecure.company.com) Mobile US Site1 VIP
2017-02-22T18:01:04 | Information SSL1399 - The certificate is valid.; Data: Mobile US Site1 VIP; URL: https://0.0.0.0/images/logo.gif; Domain: msecure.company.com; Expiration: 08/10/2018 08:00:00

So for this event I would want this field to be "Mobile US Site1 VIP".

I'm sure I'm messing something up. Thanks in advanced!

0 Karma
1 Solution

jrballesteros05
Communicator

Hi, sorry if I misunderstood.

Is that a multiline event? If so, you should use this one:

.*?\)\s+(?P<description>.*?)\n

View solution in original post

jrballesteros05
Communicator

Hi, sorry if I misunderstood.

Is that a multiline event? If so, you should use this one:

.*?\)\s+(?P<description>.*?)\n

jeck11
Path Finder

YES! That did it. Thanks!

0 Karma

somesoni2
SplunkTrust
SplunkTrust

@Jeck11, glad @jrballesteros05's answer provided a working solution to your question? Please don't forget to resolve this post by clicking "Accept".

0 Karma

jrballesteros05
Communicator

This one seems to work for me:

 .*?\)\s+(?P<description>.*)
0 Karma

jeck11
Path Finder

Yeah. That's what I came up with when using an external site like https://www.regex101.com/. Unfortunately, when I try that in Splunk it begins at the correct spot but goes all the way to the end of the last line instead of stopping at the end of line 1.

2017 02 24 14 39 09 Online regex tester and debugger PHP PCRE Python Golang and Java Script

0 Karma

pkeller
Contributor

So your example is a multi-line event? .... This might work: ^.[^)]+)\s+(?P.+)\n?

0 Karma

horsefez
SplunkTrust
SplunkTrust

Is this what you are trying to do?

(?:^)(?:[^\)]+\)\s)(.+)
0 Karma

jeck11
Path Finder

Your regex doesn't appear to select anything when I try it.

Here is the regex that Splunk gives me when I try and do it through the wizard:

^[^\)\n]*\)\s+(?P<description>\w+\s+\w+\s+\w+\s+\w+)

This will select anything up to a special character but the final field could have a dash ("-") in it and I can't control how long it is either.

0 Karma

pkeller
Contributor

This seems to work at: https://www.regex101.com/

^.[^)]+)\s+(?P.+)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...