Solved: Re: Regex certain value from a field

timyong80 · ‎03-31-2020

Hello,

I have a regex question. I have a field called "Container" and below are the examples of the values.
I would like to regex a certain part of the value but unfortunately, there's no unique marker to tell it where to start/stop. However, I noticed that there's always 3 underscores before that specific part that I need to extract so probably that could be helpful for the regex.

Can you help me with the regex expression (starts after the 3rd underscore and ends before the next underscore)?

1) k8s_jenkins_jenkins-16-mrlz4_tau-ops_eb099c1d-6d70-11ea-8ba8-001a4a160104_0
2) k8s_datadog-agent_datadog-agent-t4dlc_clusteradmin_dd5f238b-6a16-11ea-8ef9-566f4e1c0167_351
3) k8s_core-order-service_core-order-service-deployment-1-t9b29_fltc-ods-uit_b10cf94d-64b1-11ea-8ef9-566f4e1c0167_3513

Desired regex result for Container field:

1) tau-ops
2) clusteradmin
3) fltc-ods-uit

Thank you in advance.

gcusello · ‎03-31-2020

Hi @timyong80,
please try something like this:

index=your_index
| rex "^([^_]+_){3}(?<field>[^_]+)_"
| ...

that you can test at https://regex101.com/r/CCGPg6/1

Ciao.
Giuseppe

View solution in original post

vnravikumar · ‎03-31-2020

Hi

Check this

| makeresults 
| eval Container="k8s_jenkins_jenkins-16-mrlz4_tau-ops_eb099c1d-6d70-11ea-8ba8-001a4a160104_0,
 k8s_datadog-agent_datadog-agent-t4dlc_clusteradmin_dd5f238b-6a16-11ea-8ef9-566f4e1c0167_351,
 k8s_core-order-service_core-order-service-deployment-1-t9b29_fltc-ods-uit_b10cf94d-64b1-11ea-8ef9-566f4e1c0167_3513" 
| makemv delim="," Container 
| mvexpand Container 
| eval result = mvindex(split(Container,"_"),3) 
| table Container,result

timyong80 · ‎04-02-2020

Thank you! These are 3 separate entries actually., not in one field separated by comma.
But I learned new thing about makemv delim function. Thanks again!

richgalloway · ‎03-31-2020

This works with your sample data.

| rex field=Container "(?:[^_]+_){3}(?<field>[^_]+)"

---
If this reply helps you, Karma would be appreciated.

timyong80 · ‎04-02-2020

Thanks a bunch, really appreciate it. This works well!

gcusello · ‎03-31-2020

Hi @timyong80,
please try something like this:

index=your_index
| rex "^([^_]+_){3}(?<field>[^_]+)_"
| ...

that you can test at https://regex101.com/r/CCGPg6/1

Ciao.
Giuseppe

timyong80 · ‎04-02-2020

Thanks a lot 🙂 This works!

gcusello · ‎04-02-2020

Hi @timyong80,
you're welcome!
Ciao and next time!
Giuseppe

vnguyen46 · ‎04-02-2020

Hi,

How can I regex <Type> Read Only </Type> to get "Read Only"? I mean only yield text between the tags.

Thanks,

jpolvino · ‎03-31-2020

Here is one way to do it, using a Run Anywhere SPL:

| makeresults
| eval _raw="event
k8s_jenkins_jenkins-16-mrlz4_tau-ops_eb099c1d-6d70-11ea-8ba8-001a4a160104_0
k8s_datadog-agent_datadog-agent-t4dlc_clusteradmin_dd5f238b-6a16-11ea-8ef9-566f4e1c0167_351
k8s_core-order-service_core-order-service-deployment-1-t9b29_fltc-ods-uit_b10cf94d-64b1-11ea-8ef9-566f4e1c0167_3513"
| multikv forceheader=1 | fields _raw
| rex "(.*?_){3}(?<container>[^_]+)"

See regex101

timyong80 · ‎04-02-2020

Excellent, I used the rex part only and it works!
Thank you very much

Regex certain value from a field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

Index This | What has goals but no motivation?

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Join the Conversation