Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use regex to obtain a single string from a string sequence?

Nidd
Path Finder
‎06-04-2018 09:38 AM

I have not used regex in my queries much. Any help in resolving this would be much helpful.

I have the following log:

INFO | 2018-06-04 09:26:46,449 | EvergreenWorker - starting createSuspects for 262352812954213803 and 266946419581359002
INFO | 2018-06-04 09:26:46,449 | EvergreenWorker - starting createSuspects for 262352812954213903 and 266946419581359003

I wish to obtain the following result:

----------------------------------------------
suspect            |    altSuspect
----------------------------------------------
262352812954213803  |   266946419581359002
262352812954213903  |   266946419581359003
----------------------------------------------

i.e. The IDs obtained on the logs as suspect and altSuspect.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎06-04-2018 10:07 AM

try this:

| makeresults count =1 
| eval data = " INFO | 2018-06-04 09:26:46,449 | EvergreenWorker - starting createSuspects for 262352812954213803 and 266946419581359002
 ;INFO | 2018-06-04 09:26:46,449 | EvergreenWorker - starting createSuspects for 262352812954213903 and 266946419581359003"
| makemv delim=";" data 
| mvexpand data
| rex field=data "for\s(?<suspect>\d+)\sand\s(?<altSuspect>\d+)"
| table suspect altSuspect

screenshot:
![alt text][1]

hope it helps

View solution in original post

Preview file
1 KB
Preview file
1 KB
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎06-04-2018 10:07 AM

try this:

| makeresults count =1 
| eval data = " INFO | 2018-06-04 09:26:46,449 | EvergreenWorker - starting createSuspects for 262352812954213803 and 266946419581359002
 ;INFO | 2018-06-04 09:26:46,449 | EvergreenWorker - starting createSuspects for 262352812954213903 and 266946419581359003"
| makemv delim=";" data 
| mvexpand data
| rex field=data "for\s(?<suspect>\d+)\sand\s(?<altSuspect>\d+)"
| table suspect altSuspect

screenshot:
![alt text][1]

hope it helps

Preview file
1 KB
Preview file
1 KB
Reply
Solved! Jump to solution

Nidd
Path Finder
‎06-04-2018 10:41 PM

Thanks Adonio ! 🙂

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎06-04-2018 10:10 AM

If it's not clear from the above, the piece you need, @Nidd, is to add after whatever search you have to return your rows...

| rex field=data "for\s(?<suspect>\d+)\sand\s(?<altSuspect>\d+)"
| table suspect altSuspect

Those two lines should extract your two fields then create a table out of them for you.

Happy Splunking!
-Rich

0 Karma
Reply
Solved! Jump to solution

Nidd
Path Finder
‎06-04-2018 10:42 PM

Thank you Rich 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...