- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm kind of new on the Splunk world and I'm trying to create new extraction field.
Here are two examples of my logs.
14394300 SERVER1 02772 SND_OK 0000 NbF=1;TEST2N.02503.02772.SERVER2;
16434800 SERVER6 67965 SND_OK 0000 NbF=1;XXXRD.NN0015.67965.SERVER1;
I don't know how to extract the information in bold.
My extract/transform looks like this:
(?P<time>\d+)\s+(?P<sdr>\w*)\s+(?P<seq>[^ ]*)\s+(?P<status>[^ ]+)\s+(?P<errorCode>\d+)\s+(?P<Rtn>.+)
My fields work correctly for my use (and different cases) but now, I'm trying to be more accurate for <Rtn>
<Rtn> now is: NbF=1;XXXRD.NN0015.67965.SERVER1;
What I need is just the NN0015 or 02503.
I tried with "positive lookbehind" or "positive lookahead" without any success.
Is it possible to have some help? Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![richgalloway richgalloway](https://community.splunk.com/legacyfs/online/avatars/140500.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
This works with the two sample events.
(?P<time>\d+)\s+(?P<sdr>\w*)\s+(?P<seq>[^ ]*)\s+(?P<status>[^ ]+)\s+(?P<errorCode>\d+)\s+(?:NbF=[^\.]+\.(?P<Rtn>[^\.]+)|(?<Rtn2>[^;]+))
Select the Rtn field using coalesce.
... | eval Rtn=coalesce(Rtn, Rtn2)
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![richgalloway richgalloway](https://community.splunk.com/legacyfs/online/avatars/140500.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Lookbehind is not needed. Try this
(?P<time>\d+)\s+(?P<sdr>\w*)\s+(?P<seq>[^ ]*)\s+(?P<status>[^ ]+)\s+(?P<errorCode>\d+)\s+NbF=[^\.]+\.(?P<Rtn>[^\.]+)
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
It's not working as expected.
It gave me in results: NbF=1;XXXRD.NN0015.67965.SERVER1;
What I need is "NN0015". I will continue to search with your solution, I can maybe do something with it 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![richgalloway richgalloway](https://community.splunk.com/legacyfs/online/avatars/140500.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Make sure you copied the regex correctly. "NbF" is not part of a capture group so you should not be getting that in a field.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
Yes it's working. I had a strange bug, I modified <Rtn> by <alias> and it didn't work. Changed it again by <Rtn> or <Alias> or something else and it works...
So thank you, unfortunately I didn't expect that I could have data with a different format...
It works perfectly with:
16434800 SERVER6 67965 SND_OK 0000 NbF=1;XXXRD.NN0015.67965.SERVER1;
but of course not when I have:
16434800 SERVER6 67965 SND_OK 0000 X00700086;
I'm trying to create a "or" with a | but I'm still in pain with regex 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![richgalloway richgalloway](https://community.splunk.com/legacyfs/online/avatars/140500.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Which part of "16434800 SERVER6 67965 SND_OK 0000 X00700086;" are you trying to extract?
Sometimes, it's easier to use two separate rex commands than to combine regular expressions.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Case 1: 16434800 SERVER6 67965 SND_OK 0000 NbF=1;XXXRD.NN0015.67965.SERVER1;
Case 2: 16434800 SERVER6 67965 SND_OK 0000 X00700086;
In both case, what's in bold is my <Rtn>
In case one, your first solution works perfectly but not on the case 2.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![richgalloway richgalloway](https://community.splunk.com/legacyfs/online/avatars/140500.jpg)
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
This works with the two sample events.
(?P<time>\d+)\s+(?P<sdr>\w*)\s+(?P<seq>[^ ]*)\s+(?P<status>[^ ]+)\s+(?P<errorCode>\d+)\s+(?:NbF=[^\.]+\.(?P<Rtn>[^\.]+)|(?<Rtn2>[^;]+))
Select the Rtn field using coalesce.
... | eval Rtn=coalesce(Rtn, Rtn2)
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I didn't know the coalesce command.
Works perfectly now with that. I just had to modify my dashboards.
Thank you very much!
![](/skins/images/FE4825B2128CA5F641629E007E333890/responsive_peak/images/icon_anonymous_message.png)