Solved: Re: Need assist with regex for extractions

nls7010 · ‎08-09-2019

I am trying to get some name space information from the clients inputs. the value I want is namespaceName. I am unfamiliar with regex and would like an assist if possible. This is the field I want:
, namespaceName=aqua2}, There is always a comma-space-namespaceName=-curly bracket-comma. (For example: , namespaceName=aqua2},

Destination app: Search
Name: nsName
Apply to: sourcetype
named:
Type: inline
Extraction/Transform: nsName=\s(?}

And I want this to be available for the users for their searches for the namespaceName values.

nls7010 · ‎08-09-2019

Tried it in a search and it works, so do I just go to the Field Extensions and create it there?

View solution in original post

nls7010 · ‎08-09-2019

I accept the answer, it works wonderfully

nls7010 · ‎08-09-2019

Tried it in a search and it works, so do I just go to the Field Extensions and create it there?

mayurr98 · ‎08-09-2019

Yes go to Settings » Fields » Field extractions » Add new and put \,\snamespaceName=(?<namespacename>[^\}]+)\}\, in Extraction/Transform.

Accept the answer if it works for you to close this question.

nls7010 · ‎08-09-2019

It worked well, thank you

mayurr98 · ‎08-09-2019

try this run anywhere search:

| makeresults | eval data=", namespaceName=aqua2}," | rex field=data "\,\snamespaceName=(?<namespacename>[^\}]+)\}\,"

In your environment, you should try:

index=your_index | rex field=_raw "\,\snamespaceName=(?<namespacename>[^\}]+)\}\,"

let me know if this helps!

nls7010 · ‎08-09-2019

" Extraction/Transform: nsName=\s(?[\,\w "

nls7010 · ‎08-09-2019

doggone it the wole line is not showing. there is a ( then a then the rest as shown

nls7010 · ‎08-09-2019

namespaceName is in between the \s and \w

Need assist with regex for extractions

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)