Splunk Search

REX parenthesis and end of line

martinhelgegren
Explorer

Hi! Been struggling a lot with a pretty simple problem but my SPLUNK REX skills are insufficient for the task. I want to match and list ANY value containing both letters, digits and characters between parenthesis at the end of line/end of string - examples:

bla bla bla (My Value0/0)
bla bla blb (My OtherValue0/1)
bla blb blc (My thirdValue0/0/0/0)

As you can see - the text BEFORE the ending value inside parenthesis can be what ever. There can also be MULTIPLE similar values also within parenthesis along the string but I ONLY want to match the one at end of line ($). The match must be every letter, space, number or typically "/" characters between the parenthesis.

Using other regex dev tools I get a fairly decent result with a simple string like this:

\(.*\)$

\( matches the character ( with index 4010 (2816 or 508) literally (case sensitive)
. matches any character (except for line terminators)
* matches the previous token between zero and unlimited times, as many times as possible, giving back as needed (greedy)
\) matches the character ) with index 4110 (2916 or 518) literally (case sensitive)
$ asserts position at the end of a line
 
I also have used variants of this and they all end up working very well in regex testers and dev tools and also in LINUX (when pasting the entire table of messages into a file and applying them. But not in SPLUNK - I believe there is a big coin drop along my SPLUNK use path when everything will make sense to me, unfortunately not there yet. Please help me out!
Labels (2)
0 Karma
1 Solution

johnhuang
Motivator

Your regex could be impacted by things like hidden carriage returns, newlines, and space at end of line that may not be obvious in the UI. Sometimes you have to throw stuff against the wall to figure out where the issue lies.  

Try these:

- Multivalue Match
| rex max_match=100 "(?ms)\((?<result_1>[^\)]+)\)"
| eval result_2=mvindex(result_1, -1)

- Using Split
| eval result_1=split(_raw,"(")
| eval result_2=mvindex(result_1, -1)
| rex field=result_2 mode=sed "s/\)(\s+)?//g"

- Sanitize the data (trim end)
| rex field=_raw mode=sed "s/^[\r\n]+//g"
| eval _raw=RTRIM(_raw)
| rex"\((?<result_1>[^\)]+)\)$"

- Ignore possible spaces at the end of the string
| rex"\((?<result_1>[^\)]+)\)\s+?$"

View solution in original post

martinhelgegren
Explorer

By the way - I have also tried to extract the value using Field Extractor but then I don't get matches for ALL possible values, I have tried many times using different samples etc. and the best way thus far is extracting two fields using two different regex compilations assembled by the SPLUNK Field Extractor guide itself. But listing them forces me to return duplicates and sometimes a false value as it results in a prev. value found earlier (not at the end) in the line.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "\((?<result>[^\)]+)\)$"
0 Karma

martinhelgegren
Explorer

Sorry - no luck. Also the [^\)]+) included (basically added to what I already tried:

| rex "\((?<result>)\)$"

...where \( is literal (?<result>) is my intended result match followed by ) as literal $ at end of line/string. What would be the intention of matching ^\) one or more times? Here's a more true sample line and I want the bold value between parenthesis (with or without including them - doesn't matter):

New selection for selection point 1588-SEL: 1 inputs selected: input from Selection 0/0/CPU0-ETH_RXMUX(1) (Line GigabitEthernet0/0/0/0)

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Here is the regex working in regex101.com https://regex101.com/r/LInaT6/1 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

And a runanywhere example with your data

| makeresults 
| eval _raw="New selection for selection point 1588-SEL: 1 inputs selected: input from Selection 0/0/CPU0-ETH_RXMUX(1) (Line GigabitEthernet0/0/0/0)"
| rex "\((?<result>[^\)]+)\)$"
0 Karma

martinhelgegren
Explorer

Yes, both regex101.com and the makeresults info you pasted does indeed work in my SPLUNK system. But appending:

| rex "\((?<result>[^\)]+)\)$"

...to my search and trying to print the actual results are returning "result=null" according to SPLUNK. I get the timestamps right when adding "_time" to my printing attempts. Maybe the REX is indeed valid but I'm simply using wrong method in trying to print it.

After I have a matched REX result I want to print a Field (already extracted - in this case a hostname), time (timestamp of the entered log message) and the actual REX result (eg. Line GigabitEthernet0/0/0/0) on a single row/line. Any help on how to table or chart or anything else I can use to perform it?

0 Karma

johnhuang
Motivator

Your regex could be impacted by things like hidden carriage returns, newlines, and space at end of line that may not be obvious in the UI. Sometimes you have to throw stuff against the wall to figure out where the issue lies.  

Try these:

- Multivalue Match
| rex max_match=100 "(?ms)\((?<result_1>[^\)]+)\)"
| eval result_2=mvindex(result_1, -1)

- Using Split
| eval result_1=split(_raw,"(")
| eval result_2=mvindex(result_1, -1)
| rex field=result_2 mode=sed "s/\)(\s+)?//g"

- Sanitize the data (trim end)
| rex field=_raw mode=sed "s/^[\r\n]+//g"
| eval _raw=RTRIM(_raw)
| rex"\((?<result_1>[^\)]+)\)$"

- Ignore possible spaces at the end of the string
| rex"\((?<result_1>[^\)]+)\)\s+?$"

martinhelgegren
Explorer

(re-write my reply to solution)

Bingo! It turns out all but Multivalue Match works like a charm and the explanation should lie in whitespaces in the strings. The rex string needs to look like this:

| rex"\((?<result>[^\)]+)\)\s+?$"

I completed the search with a simple table:

| table host,time,result

Some day I too shall understand why some fields or predefined values needs a prepended underscore...like "_time" (while "host" does not...)

Thank you all for contributing! You are a part of the drive force!

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...