Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to split and retrieve a value ?

zacksoft
Contributor
‎01-04-2018 04:27 AM

I think we may need regex for this and I am not good at it.
I need to be able to extract the last part i.e. (TMNT-1752) from the below string . In some cases the numeric part could be three or more digits too like CMNU-112 or NT=1223 etc or TURC-12223. I think I want the part that comes after selectedIssue=.

https://phut.mayhem.com/secure/JapidJoard.jspa?rapidView=12339&view=detail&selectedIssue=TMNT-1752

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

p_gurav
Champion
‎01-04-2018 05:39 AM

Hi,

Can you try this :

  | rex field=url "selected\w+=(?<value>(([^\&]+)|(.+)))"

OR 

  | rex field=_raw "selected\w+=(?<value>(([^\&]+)|(.+)))"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

nikita_p
Contributor
‎01-04-2018 06:16 AM

Hi @,
I think the regex above should work for you but still if it's not you can try below regex.
index=xyz | rex field=url "\"(selected\w+)\"[=]*(?P(([^&]+)|(.+)))\""

0 Karma
Reply
Solved! Jump to solution
Solution

p_gurav
Champion
‎01-04-2018 05:39 AM

Hi,

Can you try this :

  | rex field=url "selected\w+=(?<value>(([^\&]+)|(.+)))"

OR 

  | rex field=_raw "selected\w+=(?<value>(([^\&]+)|(.+)))"
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2018 05:45 AM

Thanks @p_gurav

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎01-04-2018 05:47 AM

Welcome. 🙂

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎01-04-2018 05:16 AM

Hi man,

This should work for you :

  | rex field=url "selectedIssue\=(?<value>[^\&]+)"

Best regards,
David

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2018 05:32 AM

What if the string I am looking for is between "selected=" and "&"

example : selectedIssue=TWNT1752&
selectedDefect=TMNT1752
selectedGarfi=TMNT1234
selectedEpic=TMNT1234

How do I extract it ?

0 Karma
Reply
Solved! Jump to solution

DavidHourani
Super Champion
‎01-04-2018 05:59 AM

Ah from what I read I saw you needed selected issue only.

Simplest form is:

  | rex field=url "selected\w+=(?<value>[^\&]+)"
0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎01-04-2018 04:37 AM

Hi zacksoft,

In example string is "pelectedIkkue=" constant? If yes then you can try below one:

| rex field=_raw "selectedIssue\=(?P<field1>.+)"
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2018 04:41 AM

If I try this , where will it extract TMNT-1752 to ?
I need to able to use the value and put it in a table.

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎01-04-2018 04:43 AM

it will extract into "field1".. which you can use in the search

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2018 04:46 AM

@p_gurav
Actually it's not _raw. The entire string itself is stored in a field caleld "url".
What changes do I make for that ?

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎01-04-2018 04:49 AM

Then used below:

 | rex field=url "selectedIssue\=(?P<field1>.+)"
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2018 04:57 AM

A small change ... I see in some of the strings there are some values that are present after TMNT-1752 and they begin with '&' and that messes up the extract. Can I filter those ?

Example : https://phut.mayhem.com/secure/JapidJoard.jspa?rapidView=12339&view=detail&selectedIssue=TMNT-1752&m...

The current query's output is "TMNT-1752&myReq=1234somethingsomething"

Can we just get the part present between "selectedIssue=" and "&"

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎01-04-2018 05:02 AM

Then try this, It will create field called value which you can use in search:

  | rex field=url "selectedIssue\=(?<value>(([^\&]+)|(.+)))"

OR

    | rex field=_raw "selectedIssue\=(?<value>(([^\&]+)|(.+)))"
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2018 04:39 AM

Yes, that is constant. The only value that changes is 'TMNT-1752'. It could be something like ABC-1233 or ABFD-121 etc...

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎01-04-2018 04:34 AM

Hi @zacksoft,

Please try <yourBasesearch> | rex ".*=(?<value>.*)" this will extract TMNT-1752 into new field value

Here is run anywhere search, first 2 lines generating dummy data only.

| makeresults 
| eval _raw="https://phut.mayhem.com/secure/JapidJoard.jspa?rapidView=12339&view=detail&pelectedIkkue=TMNT-1752" 
| rex ".*=(?<value>.*)"
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2018 04:43 AM

There is another "=" sign before "rapidView". But I don't want that value. I only want the last one that comes after 'selectedIssue='

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎01-04-2018 04:46 AM

Can you please post your full event instead of part of event so that we can write regex properly.

0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎01-04-2018 04:49 AM

The string itself is extracted from _raw and stored in a field called 'url'.
And url field is as follows. I need the string that is present after 'selectedIssue='

https://phut.mayhem.com/secure/JapidJoard.jspa?rapidView=12339&view=detail&selectedIssue=TMNT-1752"

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...