Splunk Search

Regex Help!

Path Finder

Hi All,

I have a field whose values look like value1>value2>value3!!

Now i want to extract only value3 using rex!

I am not getting how to do that, Please help!

Thanks in advance:-)

Tags (1)
0 Karma

Path Finder

This will get the last value:

rex ">(?<lastvalue>[^>]+?)!!$"
0 Karma

Splunk Employee
Splunk Employee

Another option (if the 3rd value is always at the end of the record):

(?<value3>[^\>]+)(?=$)
0 Karma

Motivator

Hello

Try this

... | rex "((\w|\s)+\>){2}\s(?<value3>(\w|\s)+)" |...

It would be good to have some real examples, to see what pattern should we look for, but this may work.

Regards

EDIT: Updated rex

Splunk Employee
Splunk Employee

While that regex works, you might want to try improving it a little so it performs a bit better.

E.g. consider

(\w|\s)+

vs.

[\w\s]+

As you discovered, the hyphen messes things up a little. You may want to try something such as the following:

(?:[^>]+>){2}\s*(?<value3>.+)

If there are any characters after the value3 field, then you may want to use that to anchor the end of the extraction. Something like:

(?:[^>]+>){2}\s*(?<value3>.+)\b

Should help.

If value3 is always at the end of the string, something very simple such as:

.*>\s(?<value3>.+)

Will work very well.

0 Karma

Path Finder

Got it!! Need to add |- between \w|\s..
Thanks again:-)

0 Karma

Path Finder

OlympicfohMain-Stadium > Main-Stadium Concession > Concession Areas

surprisingly am not able to extract 3rd value for this example!!

0 Karma

Path Finder

That worked:-) Thanks

0 Karma

Motivator

It is because of the white spaces, let me update the regex

0 Karma

Path Finder

i want to extract only Common Domain Park

0 Karma

Path Finder

real value above! Not able to extract value3 from both the rex expressions

0 Karma

Path Finder

System Campus > Common Domain > Common Domain Park

0 Karma

SplunkTrust
SplunkTrust

Hi shri_27,

if your data always looks like this one line example and your needed value is always at the last/3rd place like in the one line example, you can use something like this:

... | rex "(.+>){2}(?<myValue>.+)" | ...

this will give you myValue=value3

cheers, MuS