Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to pull one variable with multiple changing values?

aohls
Contributor
‎06-15-2017 05:04 AM

I have for example something as follows, "Request X|Y|Z" where X, Y, and Z all change each time the message is displayed. In this case I only want to review value Z. I was thinking something like the following:

rex (?<num1>\d)|(?<num2>\d)|(?<num3>\d), but I am not getting he results back as expected. What would be the best way to handle this?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-15-2017 04:21 PM

Try this:

... | rex "(?<thing1>[^\|]+)|(?<thing2>>[^\|])|(?<thing3>>[^\|])"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎06-16-2017 04:38 AM

regex101.com is your friend. You can put an example text value to extract, and your regular expression, into the screen and it will show you what happens.

It's not always perfect in its match with what splunk will do, but in this case it would have taught you that the | needed to be \|.

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-15-2017 04:21 PM

Try this:

... | rex "(?<thing1>[^\|]+)|(?<thing2>>[^\|])|(?<thing3>>[^\|])"
0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎06-15-2017 08:40 AM

The vertical bars (|) in your events are literal, but when you use them in regex as shown, they become logical ORs. You need to escape such special characters if they are literal.

rex (?<num1>\d)\|(?<num2>\d)\|(?<num3>\d)

In fact if you are only interested in Z, you don't have to extract num1 and num2.

0 Karma
Reply
Solved! Jump to solution

aohls
Contributor
‎06-15-2017 10:58 AM

Would I need to add anything to account for blank space?

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎06-15-2017 11:21 AM

Yes, if your data contains blank spaces, you need to account for them.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...