Splunk Search

Regex Help!

shri_27
Path Finder

Hi All,

I have a field whose values look like value1>value2>value3!!

Now i want to extract only value3 using rex!

I am not getting how to do that, Please help!

Thanks in advance:-)

Tags (1)
0 Karma

vqd361
Path Finder

This will get the last value:

rex ">(?<lastvalue>[^>]+?)!!$"
0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

Another option (if the 3rd value is always at the end of the record):

(?<value3>[^\>]+)(?=$)
0 Karma

gfuente
Motivator

Hello

Try this

... | rex "((\w|\s)+\>){2}\s(?<value3>(\w|\s)+)" |...

It would be good to have some real examples, to see what pattern should we look for, but this may work.

Regards

EDIT: Updated rex

Rob
Splunk Employee
Splunk Employee

While that regex works, you might want to try improving it a little so it performs a bit better.

E.g. consider

(\w|\s)+

vs.

[\w\s]+

As you discovered, the hyphen messes things up a little. You may want to try something such as the following:

(?:[^>]+>){2}\s*(?<value3>.+)

If there are any characters after the value3 field, then you may want to use that to anchor the end of the extraction. Something like:

(?:[^>]+>){2}\s*(?<value3>.+)\b

Should help.

If value3 is always at the end of the string, something very simple such as:

.*>\s(?<value3>.+)

Will work very well.

0 Karma

shri_27
Path Finder

Got it!! Need to add |- between \w|\s..
Thanks again:-)

0 Karma

shri_27
Path Finder

Olympic_foh_Main-Stadium > Main-Stadium Concession > Concession Areas

surprisingly am not able to extract 3rd value for this example!!

0 Karma

shri_27
Path Finder

That worked:-) Thanks

0 Karma

gfuente
Motivator

It is because of the white spaces, let me update the regex

0 Karma

shri_27
Path Finder

i want to extract only Common Domain Park

0 Karma

shri_27
Path Finder

real value above! Not able to extract value3 from both the rex expressions

0 Karma

shri_27
Path Finder

System Campus > Common Domain > Common Domain Park

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi shri_27,

if your data always looks like this one line example and your needed value is always at the last/3rd place like in the one line example, you can use something like this:

... | rex "(.+>){2}(?<myValue>.+)" | ...

this will give you myValue=value3

cheers, MuS

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...