Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help on regexing a field to only show everything after a character

tdavison76
Path Finder
‎12-02-2024 06:32 AM

Hello everyone,

I am terrible at regex,  I am trying to regex a field called "alert.message" to create another field with only the contents of alert.message after "On-Prem - ".  I can achieve this in regex101 with:

(?<=On-Prem - ).*

But, I know in splunk we have to give it a field name.  I can't figure out the correct syntax to add the field name so it would work.

In example of one I've tried without success:

rex field="alert.message" "\?(?<Name><=On Prem - ).*"

If possible, could someone help me out with this one ? 🙂

Thanks for any help,

Tom

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2024 07:06 AM

Almost there - try something like this

| rex field='alert.message' "On Prem - (?<Name>.*)"
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-02-2024 07:05 AM

Hi @tdavison76 ,

I could be more detailed if you could share some sample of your logs, anyway, if you want to take all the content of the "alert.message" field after "On-Prem - ", you could try:

| rex field="alert.message" "\<\=On Prem - (?<Name>.*)"

Ciao.

Giuseppe

Reply

tdavison76
Path Finder
‎12-02-2024 07:18 AM

Hello Giuseppe,

Thank you very much for the help, I gave the regex a shot but it still didn't return any results.  Here's an event that has the alert.message field of "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com" included.

 

 

{"actionType": "custom", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "ownerDomain": "integration", "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "discardScriptResponse": true, "sendCallbackToStreamHub": false, "requestId": "46f22bab-2964-4294-885e-2a7bd12ddd19", "action": "Close", "productSource": "Opsgenie", "customerDomain": "domain", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "customerTransitioningOrConsolidated": false, "source": {"name": "", "type": "ThousandEyes"}, "type": "oec", "receivedAt": 1720795936606, "params": {"type": "oec", "alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "customerId": "3a1f4387-b87b-4a3a-a568-cc372a86d8e4", "action": "Close", "integrationId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9", "integrationName": "Opsgenie Edge Connector - Splunk", "integrationType": "OEC", "customerDomain": "domain", "alertDetails": {"Alert Details URL": "https://app.thousandeyes.com/alerts/list/?__a=210261&alertId=1017a144-c138-43d1-ab0e-5840c854c082", "TeamsDescription": "True"}, "alertAlias": "1017a144-c138-43d1-ab0e-5840c854c082", "receivedAt": 1720795936606, "customerConsolidated": false, "customerTransitioningOrConsolidated": false, "productSource": "Opsgenie", "source": {"name": "", "type": "ThousandEyes"}, "alert": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "entity": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "ownerId": "2196f43b-7e43-49dd-b8b7-8243aa391ad9"}, "integrationType": "OEC", "alert": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}, "customerConsolidated": false, "mappedActionDto": {"mappedAction": "postActionToOEC", "extraField": ""}, "alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "alertAlias": "1017a144-c138-43d1-ab0e-5840c854c082", "alertDetails": {"Alert Details URL": "https://app.thousandeyes.com/alerts/list/?__a=210261&alertId=1017a144-c138-43d1-ab0e-5840c854c082", "TeamsDescription": "True"}, "entity": {"alertId": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "id": "7404ee53-37e3-4986-83e4-0863805d8e48-1720786307165", "type": "alert", "message": "[ThousandEyes] Alert for priceSingle On-Prem - uepricing.domain.com", "tags": [], "tinyId": "64620", "entity": "", "alias": "1017a144-c138-43d1-ab0e-5840c854c082", "createdAt": 1720786307165, "updatedAt": 1720795937106000000, "username": "ThousandEyes", "responders": [{"id": "383fed32-da1e-4847-a621-3e95a2575d9c", "type": "team", "name": "Pricing_Alerts"}], "teams": ["383fed32-da1e-4847-a621-3e95a2575d9c"], "actions": [], "priority": "P3", "oldPriority": "P3", "source": "ThousandEyes"}}

 

 

Here's the actual Search I am running:

 

tdavison76_0-1733152685750.png

 

Just let me know if more details are needed, and thanks again.

Tom

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-02-2024 07:33 AM

Hi @tdavison76 ,

please try this regex:

| rex field="alert.message" "On-Prem - (?<your_field>[^\"]+)"

that you can test at https://regex101.com/r/RWQr9a/1

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...