- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need assist with regex for extractions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to get some name space information from the clients inputs. the value I want is namespaceName. I am unfamiliar with regex and would like an assist if possible. This is the field I want:
, namespaceName=aqua2}, There is always a comma-space-namespaceName=-curly bracket-comma. (For example: , namespaceName=aqua2},
Destination app: Search
Name: nsName
Apply to: sourcetype
named:
Type: inline
Extraction/Transform: nsName=\s(?}
And I want this to be available for the users for their searches for the namespaceName values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried it in a search and it works, so do I just go to the Field Extensions and create it there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I accept the answer, it works wonderfully
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried it in a search and it works, so do I just go to the Field Extensions and create it there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes go to Settings » Fields » Field extractions » Add new and put \,\snamespaceName=(?<namespacename>[^\}]+)\}\, in Extraction/Transform.
Accept the answer if it works for you to close this question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked well, thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this run anywhere search:
| makeresults | eval data=", namespaceName=aqua2}," | rex field=data "\,\snamespaceName=(?<namespacename>[^\}]+)\}\,"
In your environment, you should try:
index=your_index | rex field=_raw "\,\snamespaceName=(?<namespacename>[^\}]+)\}\,"
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
" Extraction/Transform: nsName=\s(?[\,\w "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
doggone it the wole line is not showing. there is a ( then a then the rest as shown
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
namespaceName is in between the \s and \w
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
