Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Regex Help

darkins
Engager
‎10-01-2024 04:02 PM

probably a basic question

i have the following data 

600 reason

and this rex

(?<MetricValue>([^\s))]+))(?<Reason>([^:|^R]+))

what i am getting is 60 in Metric Value and 0 in Reason

i presume that is due to the match being up to the next NOT space, thus metric value is 60 and 0 remains in the data for Reason

what is the right way to do this such that i get value = 600 and reason = reason

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-01-2024 05:06 PM

Given the complexity of the regex, I suspect the sample event may be over-simplified.  However, if it's a matter of the value field is an integer followed by a space then everything goes into the reason field then this rex command will do.

| rex "(?<MetricValue>\d+)\s(?<Reason>.*)"

 

---
If this reply helps you, Karma would be appreciated.
Reply

dural_yyz
Motivator
‎10-01-2024 05:03 PM

Actually most of your problem is coming from multiple capture groups inside a capture group designated by each "()" pairing.

 

| makeresults format=csv data="sample
600 reason and more:then what
701 code practice Reason
899 something
104 this
12 nothing"
| rex field=sample "^(?<Metric>[^\s]+)\s(?<Reason>[^:|^R]+).*$"
| table sample Metric Reason

 

You can see in my example that after the <field> I did not nest additional capture group designations such as what you were using.  The above generates some random data which I hope fits your use case but you provided minimal examples so I made assumptions.  The rex as coded would with draw the information you are looking for assuming that the Metric is the first one the line or field and following that is the Reason with your indicated cut off characters or end of line like I indicated.  Feel free to remove the indicators for beginning of line and end of line if they don't fit your data.

Here is the output I get.

sampleMetricReason
600 reason and more:then what600reason and more
701 code practice Reason701code practice
899 something899something
104 this104this
12 nothing12nothing

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...