Splunk Search

Need assist with regex for extractions

nls7010
Path Finder

I am trying to get some name space information from the clients inputs. the value I want is namespaceName. I am unfamiliar with regex and would like an assist if possible. This is the field I want:
, namespaceName=aqua2}, There is always a comma-space-namespaceName=-curly bracket-comma. (For example: , namespaceName=aqua2},

Destination app: Search
Name: nsName
Apply to: sourcetype
named:
Type: inline
Extraction/Transform: nsName=\s(?}

And I want this to be available for the users for their searches for the namespaceName values.

0 Karma
1 Solution

nls7010
Path Finder

Tried it in a search and it works, so do I just go to the Field Extensions and create it there?

View solution in original post

0 Karma

nls7010
Path Finder

I accept the answer, it works wonderfully

0 Karma

nls7010
Path Finder

Tried it in a search and it works, so do I just go to the Field Extensions and create it there?

0 Karma

mayurr98
Super Champion

Yes go to Settings » Fields » Field extractions » Add new and put \,\snamespaceName=(?<namespacename>[^\}]+)\}\, in Extraction/Transform.

Accept the answer if it works for you to close this question.

0 Karma

nls7010
Path Finder

It worked well, thank you

0 Karma

mayurr98
Super Champion

try this run anywhere search:

| makeresults | eval data=", namespaceName=aqua2}," | rex field=data "\,\snamespaceName=(?<namespacename>[^\}]+)\}\,"

In your environment, you should try:

index=your_index | rex field=_raw "\,\snamespaceName=(?<namespacename>[^\}]+)\}\,"

let me know if this helps!

0 Karma

nls7010
Path Finder

" Extraction/Transform: nsName=\s(?[\,\w "

0 Karma

nls7010
Path Finder

doggone it the wole line is not showing. there is a ( then a then the rest as shown

0 Karma

nls7010
Path Finder

namespaceName is in between the \s and \w

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...