Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

REGEX Help

joesrepsolc
Communicator
‎10-16-2019 09:10 AM

Trying to pull the value from the 2nd set of brackets [ ] from this log. Some of the data values are blank, some start with a "/" and some are just text/numbers. Struggling to set regex to get the value between the brackets, regardless of what data is in there.

HELP? Thank You!

2019-10-14 10:25:30,860 [0.16.132.114:8443-78] [/microdc_1]
2019-10-14 10:25:30,854 [0.16.132.114:8443-78] [/microdc_1]
2019-10-14 10:25:30,813 [0.16.132.114:8443-78] [/microdc_1]
2019-10-14 10:25:30,526 [10.16.142.94:8443-75] [TABTHREAD1]
2019-10-14 10:25:30,514 [.16.132.111:8443-146] [/microdc_1]
2019-10-14 10:25:30,467 [.16.136.140:8443-123] [/microdc_2]
2019-10-14 10:25:30,466 [.16.136.140:8443-123] [/microdc_2]
2019-10-14 10:25:30,103 [.16.132.111:8443-146] [/microdc_1]
2019-10-14 10:25:30,097 [.16.132.111:8443-146] [/microdc_1]
2019-10-14 10:25:30,078 [.16.132.111:8443-146] [/microdc_1]
2019-10-14 10:25:29,888 [.16.134.114:8443-128] [/microdc_1]
2019-10-14 10:25:29,883 [.16.134.114:8443-128] [/microdc_1]
2019-10-14 10:25:29,865 [.16.134.114:8443-128] [/microdc_1]
2019-10-14 10:25:29,638 [0.16.130.100:8443-71] [TABTHREAD1]
2019-10-14 10:25:29,594 [10.16.142.97:8443-80] [TABTHREAD2]
2019-10-14 10:25:29,594 [10.16.142.97:8443-80] [TABTHREAD2]
2019-10-14 10:25:29,502 [.16.130.104:8443-144] [TABTHREAD1]
2019-10-14 10:25:29,462 [0.16.134.106:8443-59] [          ]
2019-10-14 10:25:29,337 [0.16.130.100:8443-47] [TABTHREAD1]
2019-10-14 10:25:29,270 [0.16.134.106:8443-59] [TABTHREAD1]
0 Karma
Reply

Anantha123
Communicator
‎10-16-2019 09:24 AM

Try this

]\s(\[\/|\[)(?<test>[^\]]+)]

Thanks
Anantha.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-16-2019 09:17 AM

Hi
try this regex

^[^\]]*\]\s+\[(?<my_field>[^\]]*)

that you can test at https://regex101.com/r/GCtXSM/1/

Ciao.
Giuseppe

0 Karma
Reply

mayurr98
Super Champion
‎10-16-2019 09:16 AM

try this :

<your_index> | rex field=_raw "\-\d+\]\s+\[(?<Field>[^\]]+)\]"

let me know if this helps!

0 Karma
Reply
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...

Splunk ITSI & Correlated Network Visibility

 Take Your Network Visibility to the Next LevelIn today’s complex IT environments, performance issues can stem ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...