Solved: Re: Reg Expression to find middle charatcter

ashokapex · ‎03-08-2016

Hi ,
I am new in splunk, i need to find some letter from text using Reg: ex.
how i can do.

i have to find text after Channel , (BLACKROCK) only i dont want to find other text
and this text can chnage, i only know after channel and before trader??

i am using this , but taking every thing after BlackRock ,rex field=_raw "channel (?.*)"

channel BLACKROCK** trader null, new version is 4 new status is Timed Out (Client)

somesoni2 · ‎03-08-2016

Try something like this

your base search | rex "channel (?<YourField>\w+)"

OR

your base search | rex "channel (?<YourField>\S+)"

OR

your base search | rex "channel (?<YourField>[^\s]+)"

Update
For multiple fields (assuming status is complete string from "new status is " to the end)

   your base search | rex "channel (?<YourField>\S+)([^,]+), new version is (?<version>\S+) new status is (?<status>.*)"

View solution in original post

somesoni2 · ‎03-08-2016

Try something like this

your base search | rex "channel (?<YourField>\w+)"

OR

your base search | rex "channel (?<YourField>\S+)"

OR

your base search | rex "channel (?<YourField>[^\s]+)"

Update
For multiple fields (assuming status is complete string from "new status is " to the end)

   your base search | rex "channel (?<YourField>\S+)([^,]+), new version is (?<version>\S+) new status is (?<status>.*)"

ashokapex · ‎03-08-2016

Nice cool, how we can do multiple field.

rex field=_raw "channel (?\S+) new status is (?.*) "

Reg Expression to find middle charatcter

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!