Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to grab the second value of a delimited field with rex?

Splunkster45
Communicator
‎01-28-2015 02:13 PM

I have a field of the following form:
mysplit=A.B
Where A is a string of letters and B is a Number.

I'm trying to extract the .B part using the rex command, but am running into errors. Here's my search string

... |  rex field=mysplit "*\.?<test>*" | ...

But I get the following error message "Error in 'rex' command: Encountered the following error while compiling the regex '.?': Regex: nothing to repeat"

Can someone see what I'm doing wrong?

Thanks!

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jdunlea
Contributor
‎01-28-2015 02:34 PM

There are some things missing here. You need to:

a) Specify a capture group - Using ()

and

b) ensure that you have something to "repeat". I presume that your asterix means that you want to say "any character". However in regex language asterix means "repeat". So you must tell Splunk what you want repeated.

I think you mean to say "Any character", but for regex you need to say .* - The period means "any character" and the * means "repeated 0 or many times".

Try the code below. This is assuming that the second value in your delimited field is also the last value.

... | rex field=mysplit ".*?\.(?.*)" | ...

View solution in original post

Reply
Solved! Jump to solution
Solution

jdunlea
Contributor
‎01-28-2015 02:34 PM

There are some things missing here. You need to:

a) Specify a capture group - Using ()

and

b) ensure that you have something to "repeat". I presume that your asterix means that you want to say "any character". However in regex language asterix means "repeat". So you must tell Splunk what you want repeated.

I think you mean to say "Any character", but for regex you need to say .* - The period means "any character" and the * means "repeated 0 or many times".

Try the code below. This is assuming that the second value in your delimited field is also the last value.

... | rex field=mysplit ".*?\.(?.*)" | ...

Reply
Solved! Jump to solution

Splunkster45
Communicator
‎01-29-2015 07:25 AM

Thanks for your 'not greedy' explanation. That makes sense!

With regards to your comment on my code, I forgot to put my code in the code bracket. 😞 I have fixed it. 🙂

0 Karma
Reply
Solved! Jump to solution

jdunlea
Contributor
‎01-29-2015 07:30 AM

No problem! Glad I could help!

0 Karma
Reply
Solved! Jump to solution

Splunkster45
Communicator
‎01-29-2015 05:43 AM

Got'cha. When I tried your code 'as is' it didn't work. Then I realized that the '<'test> was eaten by the internet.

For those reading this in the future, the above code almost looks like this: 

... | rex field=mysplit ".*?\.(?'<'test>.*)" | ...

Be sure to remove the two ' surrounding the less than symbol.

Quick question. Why do we need the '?' that is in front of the '.' I understand why we need to escape the period, but not the question mark. Thanks for your help!

0 Karma
Reply
Solved! Jump to solution

jdunlea
Contributor
‎01-29-2015 06:23 AM

Ah yes the '<'test> did get swallowed up. Thanks for updating!

So the first ? is to make the previous wildcard "not greedy". That is, if I say .*\. - This means the following

"capture any value multiple times up until a period."

By default the rex will match everything up until the LAST period. When I add the ? like this - .*?\. - it simply adjusts it to mean the following

"capture any value multiple times up until the FIRST period."

Note, in your code above, you seem to have stripped out the wildcard, * so indeed, the first ? makes no sense here. But if you see my answer it has .*?\. - The ? basically makes sure that the * stops matching once it comes to the FIRST instance of whatever you have after the ?.

The second ? is something related to the capture group and the field name, but I'm not entirely sure what it does!

Hope this helps!

Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...