Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need regex to extract specific data

ninadbhaskarwar
Path Finder
‎06-22-2017 11:52 AM

I need a regex to get the output as below -

Input
/ABCD/Safe+Alert+-+ABCD+failure Date: Jun 01,2017
/ABCD / Safe +Alert+-+Xyjw%28s%29+not+working Date: Jun 21,2017

Output
ABCD failure

Xyjw not working

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎06-22-2017 12:03 PM

Try like this (run anywhere sample, replace first 2 line with your search, and update the field names per yours)

| gentimes start=-1 | eval temp="/ABCD/Safe+Alert+-+ABCD+failure Date: Jun 01,2017##/ABCD / Safe +Alert+-+Xyjw%28s%29+not+working Date: Jun 21,2017" | table temp | makemv temp delim="##" | mvexpand temp 
| eval temp=urldecode(temp) | rex field=temp "Alert\s*-\s*(?<YourField>[^\:]+)"

Updated Answer

| gentimes start=-1 | eval temp="/ABCD/Safe+Alert+-+ABCD+failure Date: Jun 01,2017##/ABCD / Safe +Alert+-+Xyjw%28s%29+not+working Date: Jun 21,2017" | table temp | makemv temp delim="##" | mvexpand temp 
| eval temp=urldecode(temp) | rex field=temp "Alert\s*-\s*(?<YourField>.+)\sDate\:"

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-22-2017 12:07 PM

Like this:

|makeresults |eval raw="/ABCD/Safe+Alert+-+ABCD+failure Date: Jun 01,2017
/ABCD / Safe +Alert+-+Xyjw%28s%29+not+working Date: Jun 21,2017"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| eval output=_raw
| rex field=output mode=sed "s%^/([^/]+)/(?:[^+]*\+){4}(.*) Date.*$%\1 \2% s/\+/ /g"
0 Karma
Reply
Solved! Jump to solution

ninadbhaskarwar
Path Finder
‎06-23-2017 08:51 AM

Hi I have already tried your solution but output for second line is

"ABCD not working" where as I was expecting "Xyjw not working"

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-23-2017 09:17 AM

ARGH! I grabbed the wrong ABCD! I will update; hang on...

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎06-22-2017 12:03 PM

Try like this (run anywhere sample, replace first 2 line with your search, and update the field names per yours)

| gentimes start=-1 | eval temp="/ABCD/Safe+Alert+-+ABCD+failure Date: Jun 01,2017##/ABCD / Safe +Alert+-+Xyjw%28s%29+not+working Date: Jun 21,2017" | table temp | makemv temp delim="##" | mvexpand temp 
| eval temp=urldecode(temp) | rex field=temp "Alert\s*-\s*(?<YourField>[^\:]+)"

Updated Answer

| gentimes start=-1 | eval temp="/ABCD/Safe+Alert+-+ABCD+failure Date: Jun 01,2017##/ABCD / Safe +Alert+-+Xyjw%28s%29+not+working Date: Jun 21,2017" | table temp | makemv temp delim="##" | mvexpand temp 
| eval temp=urldecode(temp) | rex field=temp "Alert\s*-\s*(?<YourField>.+)\sDate\:"
Reply
Solved! Jump to solution

ninadbhaskarwar
Path Finder
‎06-22-2017 03:32 PM

Output is "ABCD failure Date", I need output without "Date", any suggestion?

0 Karma
Reply
Solved! Jump to solution

somesoni2
SplunkTrust
SplunkTrust
‎06-23-2017 09:07 AM

Try the updated answer.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-23-2017 09:12 AM

Try the updated answer by @somesoni2 😆

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-23-2017 01:29 AM

Try my answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...