Re: How to search from last occurrence of a string

benuantony · ‎02-10-2020

Hello Experts,

I am trying to read the text from the last square bracket (which is TestModelCompany,en_US)

21:11:31,367 INFO  [TestBenuLogger] [155.56.208.68] [716057]  [-] [TestModelCompany,en_US] No 1 XX_TimeStep="10" XX_TimeQuery="10" XX_HTTPSession="1398708550-1911P0" XX_QuerySession="null" XX_TimeStamp="2020-02-09T20:11:31.358Z-PY" XX_Company="Model Company" XX_QueryMode="STANDARD" XX_Agent="Model"

Starting Model API :
Mode       : Standard
Query Operation : QUERY
Company         : Model Company
New Snapshot Calculation

I wrote a regular expression to extract the content from last bracket,

(?<=\[)[^\[\]]*(?=][^\[\]]+$)

It works well. However I am unable to integrate it in the splunk,

This is my existing splunk query,

sourcetype=text XX_Company="*" last_modified_on index="*_test_application" | rex field=_raw "last_modified_on.*?to_datetime\('(?<lmo_date>.*?):\d\d\w\'"  | eval lmo_date_converted=strptime(lmo_date,"%Y-%m-%dT%H:%M") |  eval daysDiff=(_time-lmo_date_converted)/86400 | rex field=_raw "(?<name><=\[)[^\[\]]*(?=][^\[\]]+$)"  | where daysDiff > 90  | stats avg(daysDiff) as "Last Modified On averege days in past", max(daysDiff) as "Max Value Of Last Modified On"  by  XX_Company XX_Mode | sort -"Last Modified On averege days in past"

This is a working splunk query. With this, I would like to display the content from the last bracket as a column. Could you guide?

somesoni2 · ‎02-11-2020

Give this a try

sourcetype=text XX_Company="*" last_modified_on index="*_test_application" | rex field=_raw "last_modified_on.*?to_datetime\('(?<lmo_date>.*?):\d\d\w\'"  | eval lmo_date_converted=strptime(lmo_date,"%Y-%m-%dT%H:%M") |  eval daysDiff=(_time-lmo_date_converted)/86400  | where daysDiff > 90 | rex field=_raw "^([^\[]+\[){5}(?<name>[^\]]+)"   | stats avg(daysDiff) as "Last Modified On averege days in past", max(daysDiff) as "Max Value Of Last Modified On"  by  XX_Company XX_Mode name | sort -"Last Modified On averege days in past"

benuantony · ‎02-11-2020

any idea?

somesoni2 · ‎02-11-2020

Is the log format constant? If yes, the name you're trying to extract is 5th [...] element. Extract that base on number and add name to your stats-by clause.

to4kawa · ‎02-10-2020

| stats values(name) as name avg(daysDiff) as "Last Modified On averege days in past", max(daysDiff) as "Max Value Of Last Modified On"  by  XX_Company XX_Mode

I fix stats .

benuantony · ‎02-11-2020

I just need to add a new column with my regex. The stats is already working well

The regular expression to extract the content from last bracket is this,

(?<=[)[^[]]*(?=][^[]]+$)

How to add this in rex & show it as a column with existing query?

to4kawa · ‎02-11-2020

Do you try my last answer? name value is appeared.

wneighbo · ‎02-10-2020

try adjusting your second rex: rex field=_raw "(?<name>(?<=\[)[^\[\]]*)(?=][^\[\]]+$)"

benuantony · ‎02-11-2020

what is wrong in this?

to4kawa · ‎02-11-2020

|rex field=_raw "\[(?<name>.*?\,.*?)\]"

simply.

benuantony · ‎02-11-2020

ok.. how to display the variable "name" as column in statistics? I would like to test your rex field=_raw "[(?.?\,.?)]"

How to search from last occurrence of a string

Get Schooled with Splunk Education: Explore Our Latest Courses

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)