Hi, I wonder whether someone could help me please.
I have a string of fields in my raw data in exactly the same format as below.
Address=Address Line 1=1 The Close,
Although I'm trying desperately to learn more about rex expressions, I'm struggling with what I'm trying to accomplish which is:
Could someone possibly have a look at this please and offer some guidance on how I may acheive this please.
Because I am very keen to learn from this, may I ask if an explanation could also be provided.
Many thanks and kindest regards
Chris
Hi IRHM73,
I suggest to learn regex and use online tools like https://regex101.com where you can easily find the following regex will match your requirements:
your base search here | rex "Address\sLine\s1=(?<address>.*)," | do what ever you want with address
or you use the Splunk build in field extractor http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/ExtractfieldsinteractivelywithIFX
cheers, MuS
Hi IRHM73,
I suggest to learn regex and use online tools like https://regex101.com where you can easily find the following regex will match your requirements:
your base search here | rex "Address\sLine\s1=(?<address>.*)," | do what ever you want with address
or you use the Splunk build in field extractor http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/ExtractfieldsinteractivelywithIFX
cheers, MuS
Hi @MuS, thank you for taking the time to look at this post and come back to me with this.
The extract works, but it extracts the whole transaction which includes 'ip address' and host 'computer settings', rather than just the address Line 1 Data.
I'm currently looking at regex. Hopefully it will help.
Many thanks and kind regards
Chris
It's like yesterday, you're asking for something without providing enough information. Provide an real event, hide private information and the community can help you - otherwise, see my answer 😉
Hi @MuS thank you for this. I fully appreciate your comment. The problem I have is that the events include personal information, so I've been trying to make a post with the all the information needed without breaking data protection.
Many thanks and kind regards.
Chris
rex "Address Line1=(?<address>[^,]*)"
The regex just looks for everything except a comma ([^,]*) that comes after Address Line 1=, and saves it into the field address
I hope this helps
Hi @sduff, this is great, it works a treat.
Kind Regards
Chris
Hi @sduff, thank you for coming back to me with this.
Please find an example of the full date string below:
Address=Address Line 1=1 The Street, Address Line 2=The Town, Address Line 3=, Address Line 4=, PostCode=AB1 2CD,
I hope this helps.
Many thanks and kind regards
Chris
rex "Address Line 1=(?<address>[^,]*)"
Needed a space between Line and 1. I've tested this and it works for me.
You probably need several rex (or you could combine them all into a single rex) to get all the lines.
| rex "Address Line 1=(?<address1>[^,]*)"
| rex "Address Line 2=(?<address2>[^,]*)"
| rex "Address Line 3=(?<address3>[^,]*)"
| rex "Address Line 4=(?<address4>[^,]*)"
| rex "PostCode=(?<address_postcode>[^,]*)"
Hi @sduff, thank you very much for this.
Although I'm no longer receiving an error message, I'm still unable to extract the information.
Many thanks and kind regards
Chris
Can I suggest you provide some examples of the data you're having trouble with. Its a fairly simple regex,, it shouldn't be too complicated.
Hi @sduff, thank you for taking the time to reply to my post.
Unfortunately, when I run this I recieve the following error:
Error in 'rex' command: Encountered the following error while compiling the regex 'Address Line1=(?.*)': Regex: unrecognized character after (? or (?-
May I also provide you with more details.
After 'Address=Address Line 1=1 The Close' there is a comma which separates this line and the second address line. I don't know whether this helps.
I've updated my original post to reflect this.
Many thanks and kind regards
Chris
I've updated my answer to show the code a bit clearer. It also reads everything except a comma, so it will stop when it reaches there.