Splunk Search

How to use rex out the below text ?

m7787580
Explorer

Full or partial cease : </strung></td> <td width="100%" galign="top" >Full<

I would like to extract the below text using rex command and save it in field as cease in the below example ?
Starting after cease of Full or partial cease and ending where is the last character.here it is &It;

It will look like below.
Cease= </strung></td> <td width="100%" galign="top" >Full<

Help would be highly appreciated

Regards,

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

... | rex "Full or partial cease\s*:\s*(?<Cease>.*)"

View solution in original post

0 Karma

damiensurat
Contributor

Hi m7787580, Depending on the format of the search string, one or all of these should work. I would like to point out that when using the rex command, it is good to indicate which field you intend on extracting data from. For EG: rex field=MyHTMLStringData ".Cease=.>(?\w*)<"

These are the rex without the field parameter defined, but you can put it in at any point. Have a great day =)...

... | rex ".Cease=.>(?\w*)<"

OR 


... | rex "Full or partial cease Cease=.*>(?<Cease>\w*)<"


OR


... | rex ">(?<Cease>\w*)<"
0 Karma

damiensurat
Contributor
... | rex" Full or partial cease Cease=.*>(?<Cease>\w*)<"
0 Karma

m7787580
Explorer

Hi All,
There is sudden change i requirement now i have to fetch only >Full< from the text mentioned above.

New field= >Full<

I tried but its not working for me.

Many thanks in advance

0 Karma

damiensurat
Contributor
... | rex "Full or partial cease\s*:\s*Cease=.*>(?\w*)<"
0 Karma

m7787580
Explorer

I am getting below error.

Error in 'rex' command: Encountered the following error while compiling the regex 'Full or partial cease\s*:\s*Cease=.>(?\w)<': Regex: unrecognized character after (? or (?-

0 Karma

damiensurat
Contributor

Please remember to Hit accepted answer and the up arrow.... thanks and have a great day. Hope it helped...

0 Karma

m7787580
Explorer

I tried to use your below query

rex "Full or partial cease\s*:\s*Cease=.>(?\w)<"|table NewFieldName

But it's not giving me any result.
Thanks for your help in advance

0 Karma

m7787580
Explorer

this is the exact full text

Full or partial cease : </strong></td>
<td width="60%" valign="top"
>Full</td>
</tr>

0 Karma

damiensurat
Contributor

Perfect, one other question... Is this event in a single string format, or is it logged with line breaks?

0 Karma

m7787580
Explorer

I guess it is logged with line breaks

0 Karma

damiensurat
Contributor
    Hi  m7787580,  Depending on the format of the search string, one or all of these should work.  I would like to point out that when using the rex command, it is good to indicate which field you intend on extracting data from.  For EG: rex field=MyHTMLStringData ".*Cease=.*>(?<Cease>\w*)<"

    These are the rex without the field parameter defined, but you can put it in at any point.  Have a great day =)...

     ... | rex ".*Cease=.*>(?<Cease>\w*)<"


        OR 


        ... | rex "Full or partial cease Cease=.*>(?<Cease>\w*)<"


        OR


        ... | rex ">(?<Cease>\w*)<"
0 Karma

damiensurat
Contributor

sorry about that, I entered as text and not code and some bits were removed. I have resubmitted as an answer, which is what you are looking for. Should be available shortly.

0 Karma

m7787580
Explorer

Thanks for helping.
I am gladly waiting for your answer 🙂

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex "Full or partial cease\s*:\s*(?<Cease>.*)"
0 Karma

m7787580
Explorer

Hi Woodcock,

There is sudden change i requirement now i have to fetch only >Full< from the text mentioned above.

New field= >Full<

I tried but its not working for me.

Many thanks in advance

0 Karma

woodcock
Esteemed Legend

So your data is like this:

Full or partial cease : </strong></td> 
<td width="60%" valign="top" 
>Full</td> 
</tr> 

So try this:

| makeresults 
| eval _raw="Full or partial cease : </strong></td> 
<td width=\"60%\" valign=\"top\" 
>Full</td> 
</tr>"

| rename COMMENT AS "Everything above fakes test data; everything below is your solution"

| rex "(?ms)Full or partial cease\s*:\s*.*?<td.*?>(?<MyValue>.*?)</td>"
0 Karma

damiensurat
Contributor

nice use of makeresults woodcock!

Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...