Solved: Regex certain value from a field

timyong80 · ‎03-31-2020

Hello,

I have a regex question. I have a field called "Container" and below are the examples of the values.
I would like to regex a certain part of the value but unfortunately, there's no unique marker to tell it where to start/stop. However, I noticed that there's always 3 underscores before that specific part that I need to extract so probably that could be helpful for the regex.

Can you help me with the regex expression (starts after the 3rd underscore and ends before the next underscore)?

1) k8s_jenkins_jenkins-16-mrlz4_tau-ops_eb099c1d-6d70-11ea-8ba8-001a4a160104_0
2) k8s_datadog-agent_datadog-agent-t4dlc_clusteradmin_dd5f238b-6a16-11ea-8ef9-566f4e1c0167_351
3) k8s_core-order-service_core-order-service-deployment-1-t9b29_fltc-ods-uit_b10cf94d-64b1-11ea-8ef9-566f4e1c0167_3513

Desired regex result for Container field:

1) tau-ops
2) clusteradmin
3) fltc-ods-uit

Thank you in advance.

gcusello · ‎03-31-2020

Hi @timyong80,
please try something like this:

index=your_index
| rex "^([^_]+_){3}(?<field>[^_]+)_"
| ...

that you can test at https://regex101.com/r/CCGPg6/1

Ciao.
Giuseppe

View solution in original post

vnravikumar · ‎03-31-2020

Hi

Check this

| makeresults 
| eval Container="k8s_jenkins_jenkins-16-mrlz4_tau-ops_eb099c1d-6d70-11ea-8ba8-001a4a160104_0,
 k8s_datadog-agent_datadog-agent-t4dlc_clusteradmin_dd5f238b-6a16-11ea-8ef9-566f4e1c0167_351,
 k8s_core-order-service_core-order-service-deployment-1-t9b29_fltc-ods-uit_b10cf94d-64b1-11ea-8ef9-566f4e1c0167_3513" 
| makemv delim="," Container 
| mvexpand Container 
| eval result = mvindex(split(Container,"_"),3) 
| table Container,result

timyong80 · ‎04-02-2020

Thank you! These are 3 separate entries actually., not in one field separated by comma.
But I learned new thing about makemv delim function. Thanks again!

richgalloway · ‎03-31-2020

This works with your sample data.

| rex field=Container "(?:[^_]+_){3}(?<field>[^_]+)"

---
If this reply helps you, Karma would be appreciated.

timyong80 · ‎04-02-2020

Thanks a bunch, really appreciate it. This works well!

gcusello · ‎03-31-2020

Hi @timyong80,
please try something like this:

index=your_index
| rex "^([^_]+_){3}(?<field>[^_]+)_"
| ...

that you can test at https://regex101.com/r/CCGPg6/1

Ciao.
Giuseppe

timyong80 · ‎04-02-2020

Thanks a lot 🙂 This works!

gcusello · ‎04-02-2020

Hi @timyong80,
you're welcome!
Ciao and next time!
Giuseppe

vnguyen46 · ‎04-02-2020

Hi,

How can I regex <Type> Read Only </Type> to get "Read Only"? I mean only yield text between the tags.

Thanks,

jpolvino · ‎03-31-2020

Here is one way to do it, using a Run Anywhere SPL:

| makeresults
| eval _raw="event
k8s_jenkins_jenkins-16-mrlz4_tau-ops_eb099c1d-6d70-11ea-8ba8-001a4a160104_0
k8s_datadog-agent_datadog-agent-t4dlc_clusteradmin_dd5f238b-6a16-11ea-8ef9-566f4e1c0167_351
k8s_core-order-service_core-order-service-deployment-1-t9b29_fltc-ods-uit_b10cf94d-64b1-11ea-8ef9-566f4e1c0167_3513"
| multikv forceheader=1 | fields _raw
| rex "(.*?_){3}(?<container>[^_]+)"

See regex101

timyong80 · ‎04-02-2020

Excellent, I used the rex part only and it works!
Thank you very much

Regex certain value from a field

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)