Solved: Re: Need assist with regex for extractions

nls7010 · ‎08-09-2019

I am trying to get some name space information from the clients inputs. the value I want is namespaceName. I am unfamiliar with regex and would like an assist if possible. This is the field I want:
, namespaceName=aqua2}, There is always a comma-space-namespaceName=-curly bracket-comma. (For example: , namespaceName=aqua2},

Destination app: Search
Name: nsName
Apply to: sourcetype
named:
Type: inline
Extraction/Transform: nsName=\s(?}

And I want this to be available for the users for their searches for the namespaceName values.

nls7010 · ‎08-09-2019

Tried it in a search and it works, so do I just go to the Field Extensions and create it there?

View solution in original post

nls7010 · ‎08-09-2019

I accept the answer, it works wonderfully

nls7010 · ‎08-09-2019

Tried it in a search and it works, so do I just go to the Field Extensions and create it there?

mayurr98 · ‎08-09-2019

Yes go to Settings » Fields » Field extractions » Add new and put \,\snamespaceName=(?<namespacename>[^\}]+)\}\, in Extraction/Transform.

Accept the answer if it works for you to close this question.

nls7010 · ‎08-09-2019

It worked well, thank you

mayurr98 · ‎08-09-2019

try this run anywhere search:

| makeresults | eval data=", namespaceName=aqua2}," | rex field=data "\,\snamespaceName=(?<namespacename>[^\}]+)\}\,"

In your environment, you should try:

index=your_index | rex field=_raw "\,\snamespaceName=(?<namespacename>[^\}]+)\}\,"

let me know if this helps!

nls7010 · ‎08-09-2019

" Extraction/Transform: nsName=\s(?[\,\w "

nls7010 · ‎08-09-2019

doggone it the wole line is not showing. there is a ( then a then the rest as shown

nls7010 · ‎08-09-2019

namespaceName is in between the \s and \w

Need assist with regex for extractions

Index This | What are the 12 Days of Splunk-mas?

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience