Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a Regex to capture the Path(\Απεσταλμένα) and Subject (TYPICAL MAIN SHELF)?

biswa2112
Engager
‎08-22-2022 11:32 AM

I want to capture the Path (\Απεσταλμένα) and Subject (TYPICAL MAIN SHELF) .  I am using below regex Subject\W\s(?<Subject>.*)  and 

rex "Path\W\s(?<Path>\W.*)" 

 

But these are not working . It is not capturing the path while for subject it is capturing many more lines which are not required .

 

Someone please help 

 

PH0PR07MB8510A5DC1014429F3B411EB1E39B9@PH0PR07MB8510.namprd07.prod.outlook.com>
IsRecord: false
ParentFolder: { [-]
Id: LgAAAACYR3ou5YLkQLdwhKR5o0aGAQDzGy/hF08sRpmozaW+A2HqAAAAdHcNAAAB
Path: \Απεσταλμένα
}
SizeInBytes: 180998
Subject: TYPICAL MAIN SHELF
}
LogonType: 0
LogonUserSid: S-1-5-21-2050334910-350505970-4048673702-5100548
MailboxGuid: 967cf2f1-6b52-4e79-bf98-1hnfj55667
MailboxOwnerSid: S-1-5-21-2050334910-350505970-499886553

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-22-2022 04:36 PM

It depends on what the data really looks like - the .* part of the Subject capture will capture everything up to a line terminator. You data _implies_ that the text is on multiple lines, but it looks like you've pasted that from a JSON viewer, which is interpreting your data - particularly as there are no visible quotes, which would be expected in JSON.

Can you show the RAW field rather than this formatted one.

The .* capture part of the field may probably be better written as 

[^\"]*

i.e. capture up to a terminating quotation character. However, it also may be that the JSON can be parsed directly with spath - depending on what fields are extracted

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎08-22-2022 04:36 PM

It depends on what the data really looks like - the .* part of the Subject capture will capture everything up to a line terminator. You data _implies_ that the text is on multiple lines, but it looks like you've pasted that from a JSON viewer, which is interpreting your data - particularly as there are no visible quotes, which would be expected in JSON.

Can you show the RAW field rather than this formatted one.

The .* capture part of the field may probably be better written as 

[^\"]*

i.e. capture up to a terminating quotation character. However, it also may be that the JSON can be parsed directly with spath - depending on what fields are extracted

 

Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...