Re: REGEX Help

joesrepsolc · ‎10-16-2019

Trying to pull the value from the 2nd set of brackets [ ] from this log. Some of the data values are blank, some start with a "/" and some are just text/numbers. Struggling to set regex to get the value between the brackets, regardless of what data is in there.

HELP? Thank You!

2019-10-14 10:25:30,860 [0.16.132.114:8443-78] [/microdc_1]
2019-10-14 10:25:30,854 [0.16.132.114:8443-78] [/microdc_1]
2019-10-14 10:25:30,813 [0.16.132.114:8443-78] [/microdc_1]
2019-10-14 10:25:30,526 [10.16.142.94:8443-75] [TABTHREAD1]
2019-10-14 10:25:30,514 [.16.132.111:8443-146] [/microdc_1]
2019-10-14 10:25:30,467 [.16.136.140:8443-123] [/microdc_2]
2019-10-14 10:25:30,466 [.16.136.140:8443-123] [/microdc_2]
2019-10-14 10:25:30,103 [.16.132.111:8443-146] [/microdc_1]
2019-10-14 10:25:30,097 [.16.132.111:8443-146] [/microdc_1]
2019-10-14 10:25:30,078 [.16.132.111:8443-146] [/microdc_1]
2019-10-14 10:25:29,888 [.16.134.114:8443-128] [/microdc_1]
2019-10-14 10:25:29,883 [.16.134.114:8443-128] [/microdc_1]
2019-10-14 10:25:29,865 [.16.134.114:8443-128] [/microdc_1]
2019-10-14 10:25:29,638 [0.16.130.100:8443-71] [TABTHREAD1]
2019-10-14 10:25:29,594 [10.16.142.97:8443-80] [TABTHREAD2]
2019-10-14 10:25:29,594 [10.16.142.97:8443-80] [TABTHREAD2]
2019-10-14 10:25:29,502 [.16.130.104:8443-144] [TABTHREAD1]
2019-10-14 10:25:29,462 [0.16.134.106:8443-59] [          ]
2019-10-14 10:25:29,337 [0.16.130.100:8443-47] [TABTHREAD1]
2019-10-14 10:25:29,270 [0.16.134.106:8443-59] [TABTHREAD1]

Anantha123 · ‎10-16-2019

Try this

]\s(\[\/|\[)(?<test>[^\]]+)]

Thanks
Anantha.

gcusello · ‎10-16-2019

Hi
try this regex

^[^\]]*\]\s+\[(?<my_field>[^\]]*)

that you can test at https://regex101.com/r/GCtXSM/1/

Ciao.
Giuseppe

mayurr98 · ‎10-16-2019

try this :

<your_index> | rex field=_raw "\-\d+\]\s+\[(?<Field>[^\]]+)\]"

let me know if this helps!

REGEX Help

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!