Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help creating a regex to grab anything after last comma

mikehage
New Member
‎06-17-2015 09:32 AM

Hi,

Hope someone can help me with creating a regular expression for an extraction. I have a log file and the lines don't all have the same amount of information,but the information after the last comma always relates to the same field. I need to create a regular expression to associate anything after the last comma with an event type. When I try to do this without writing the regular expression it does not work for all lines.

Hope someone can help, let me know if you need more information.

here is a sample line:

"WBS","20150617131035-any-96095",701,0,"20150617171035Z","10.183.56.173",3,0,"","http://10.183.56.173:10021/mmsc/direct","","M-default","P-default",8799,3367,27,0,0,0,0,0,116,"",0,"",0,"","text/plain","iPhoneOS/8.3 (12F70)",200

So i would want to grab the "200" in this line but it's not always 200.

Thanks,
Mike

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-23-2018 05:00 PM

Like this:

... | rex ",(?<status>[^,]*)$"
0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎06-17-2015 10:20 AM 
... | rex ",(?<status>\d+)$"
0 Karma
Reply

tcottreau
Explorer
‎04-23-2018 04:31 PM

If the last field is non-numeric, you will miss it. richgalloway above gave a nice, simple solution, i.e. match all non-comma characters up to the last comma in the line.

0 Karma
Reply

mikehage
New Member
‎06-17-2015 10:11 AM

here is a sample line:

"WBS","20150617131035-any-96095",701,0,"20150617171035Z","10.183.56.173",3,0,"","http://10.183.56.173:10021/mmsc/direct","","M-default","P-default",8799,3367,27,0,0,0,0,0,116,"",0,"... (12F70)",200

So i would want to grab the "200" in this line but it's not always 200.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-17-2015 10:19 AM

The regex string in my answer should do it.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-17-2015 09:47 AM

A sample of your data would be useful, this will probably get you started.

.. | rex ",(?P<field>[^,]*?)$" | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...