Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need assist with regex for extractions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to get some name space information from the clients inputs. the value I want is namespaceName. I am unfamiliar with regex and would like an assist if possible. This is the field I want:
, namespaceName=aqua2}, There is always a comma-space-namespaceName=-curly bracket-comma. (For example: , namespaceName=aqua2},
Destination app: Search
Name: nsName
Apply to: sourcetype
named:
Type: inline
Extraction/Transform: nsName=\s(?}
And I want this to be available for the users for their searches for the namespaceName values.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried it in a search and it works, so do I just go to the Field Extensions and create it there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I accept the answer, it works wonderfully
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried it in a search and it works, so do I just go to the Field Extensions and create it there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes go to Settings » Fields » Field extractions » Add new and put \,\snamespaceName=(?<namespacename>[^\}]+)\}\, in Extraction/Transform.
Accept the answer if it works for you to close this question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked well, thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this run anywhere search:
| makeresults | eval data=", namespaceName=aqua2}," | rex field=data "\,\snamespaceName=(?<namespacename>[^\}]+)\}\,"
In your environment, you should try:
index=your_index | rex field=_raw "\,\snamespaceName=(?<namespacename>[^\}]+)\}\,"
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
" Extraction/Transform: nsName=\s(?[\,\w "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
doggone it the wole line is not showing. there is a ( then a then the rest as shown
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
namespaceName is in between the \s and \w
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
