Splunk Search

How to use rex out the below text ?

m7787580
Explorer

Full or partial cease : </strung></td> <td width="100%" galign="top" >Full<

I would like to extract the below text using rex command and save it in field as cease in the below example ?
Starting after cease of Full or partial cease and ending where is the last character.here it is &It;

It will look like below.
Cease= </strung></td> <td width="100%" galign="top" >Full<

Help would be highly appreciated

Regards,

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

... | rex "Full or partial cease\s*:\s*(?<Cease>.*)"

View solution in original post

0 Karma

damiensurat
Contributor

Hi m7787580, Depending on the format of the search string, one or all of these should work. I would like to point out that when using the rex command, it is good to indicate which field you intend on extracting data from. For EG: rex field=MyHTMLStringData ".Cease=.>(?\w*)<"

These are the rex without the field parameter defined, but you can put it in at any point. Have a great day =)...

... | rex ".Cease=.>(?\w*)<"

OR 


... | rex "Full or partial cease Cease=.*>(?<Cease>\w*)<"


OR


... | rex ">(?<Cease>\w*)<"
0 Karma

damiensurat
Contributor
... | rex" Full or partial cease Cease=.*>(?<Cease>\w*)<"
0 Karma

m7787580
Explorer

Hi All,
There is sudden change i requirement now i have to fetch only >Full< from the text mentioned above.

New field= >Full<

I tried but its not working for me.

Many thanks in advance

0 Karma

damiensurat
Contributor
... | rex "Full or partial cease\s*:\s*Cease=.*>(?\w*)<"
0 Karma

m7787580
Explorer

I am getting below error.

Error in 'rex' command: Encountered the following error while compiling the regex 'Full or partial cease\s*:\s*Cease=.>(?\w)<': Regex: unrecognized character after (? or (?-

0 Karma

damiensurat
Contributor

Please remember to Hit accepted answer and the up arrow.... thanks and have a great day. Hope it helped...

0 Karma

m7787580
Explorer

I tried to use your below query

rex "Full or partial cease\s*:\s*Cease=.>(?\w)<"|table NewFieldName

But it's not giving me any result.
Thanks for your help in advance

0 Karma

m7787580
Explorer

this is the exact full text

Full or partial cease : </strong></td>
<td width="60%" valign="top"
>Full</td>
</tr>

0 Karma

damiensurat
Contributor

Perfect, one other question... Is this event in a single string format, or is it logged with line breaks?

0 Karma

m7787580
Explorer

I guess it is logged with line breaks

0 Karma

damiensurat
Contributor
    Hi  m7787580,  Depending on the format of the search string, one or all of these should work.  I would like to point out that when using the rex command, it is good to indicate which field you intend on extracting data from.  For EG: rex field=MyHTMLStringData ".*Cease=.*>(?<Cease>\w*)<"

    These are the rex without the field parameter defined, but you can put it in at any point.  Have a great day =)...

     ... | rex ".*Cease=.*>(?<Cease>\w*)<"


        OR 


        ... | rex "Full or partial cease Cease=.*>(?<Cease>\w*)<"


        OR


        ... | rex ">(?<Cease>\w*)<"
0 Karma

damiensurat
Contributor

sorry about that, I entered as text and not code and some bits were removed. I have resubmitted as an answer, which is what you are looking for. Should be available shortly.

0 Karma

m7787580
Explorer

Thanks for helping.
I am gladly waiting for your answer 🙂

0 Karma

woodcock
Esteemed Legend

Like this:

... | rex "Full or partial cease\s*:\s*(?<Cease>.*)"
0 Karma

m7787580
Explorer

Hi Woodcock,

There is sudden change i requirement now i have to fetch only >Full< from the text mentioned above.

New field= >Full<

I tried but its not working for me.

Many thanks in advance

0 Karma

woodcock
Esteemed Legend

So your data is like this:

Full or partial cease : </strong></td> 
<td width="60%" valign="top" 
>Full</td> 
</tr> 

So try this:

| makeresults 
| eval _raw="Full or partial cease : </strong></td> 
<td width=\"60%\" valign=\"top\" 
>Full</td> 
</tr>"

| rename COMMENT AS "Everything above fakes test data; everything below is your solution"

| rex "(?ms)Full or partial cease\s*:\s*.*?<td.*?>(?<MyValue>.*?)</td>"
0 Karma

damiensurat
Contributor

nice use of makeresults woodcock!

Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...