Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex help

DataOrg
Builder
‎09-05-2017 02:45 AM 
CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: threat call workplace||ATdT|||AC1CSED
CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: workplace management||ATdT|||AC1CSED

I want only from Workflow to first pipe present " from the above text and i want to select from starting workflow and it should end in pipe symboll

0 Karma
Reply

DalJeanis
Legend
‎09-05-2017 07:04 AM

Try this...

| rex "|(<workflow>Workflow: [^|]*)|"
0 Karma
Reply

niketn
Legend
‎09-05-2017 02:54 AM

@premranjithj, can you please try the following and confirm?

rex field=_raw "\|Workflow: (?<Workflow>[^\|]+)\|"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

DataOrg
Builder
‎09-05-2017 03:02 AM

@niketnilay its worked. but i want from workflow name also. how to get it.

other rows doesn't have word workflow which we are looking. so if that row doesnt have word workflow. i want dont want that row to have other text . i want as empty or NA. pls help

0 Karma
Reply

niketn
Legend
‎09-05-2017 04:36 AM

Is following query what you need?

| rex field=_raw "\|Workflow: (?<Workflow>[^\|]+)\|"
| eval Workflow=case(searchmatch("|Workflow: "),"Workflow: ".Workflow, true(),"N/A")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

DataOrg
Builder
‎09-05-2017 06:16 AM

| eval Workflow=case(searchmatch("|Workflow: "),"Workflow: ".Workflow, true(),"N/A")
this statement nt working

0 Karma
Reply

niketn
Legend
‎09-05-2017 07:37 AM

I tried following run anywhere search which worked fine. I just cooked up one event without Workflow:

|  makeresults
|  eval data="CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: threat call workplace||ATdT|||AC1CSED;CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK| threat call workplace||ATdT|||AC1CSED;CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: workplace management||ATdT|||AC1CSED"
|  eval data=split(data,";")
|  mvexpand data
|  rename data as _raw
|  rex field=_raw "\|Workflow: (?<Workflow>[^\|]+)\|"
|  eval Workflow=case(searchmatch("|Workflow: "),"Workflow: ".Workflow, true(),"N/A")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎09-05-2017 03:36 AM

@premranjithj, can you add samples of rows without workflow.

What is STCK? What kind of values can i have?

Or else can you confirm whether it is always the 9th pipe (|) that will have Workflow name? In that case you can use

| eval data=split(_raw,"|")
| eval workflow=mvindex(data,9)
| eval workflow=case(match(workflow,"Workflow"),workflow,"N/A")

In fact you should take care of this while ingesting the data and index it with Delimited String (Pipe Separated Value) so that all fields are already extracted during search time field discovery.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

DataOrg
Builder
‎09-05-2017 04:02 AM

hi @niketnilay it will not be always be 9th pipe that will have workflow.

0 Karma
Reply

niketn
Legend
‎09-05-2017 04:10 AM

@premranjithj, then you would definitely need to add more samples. Even for regular expression you would need to know before or after pattern.

For using delimeter you would need to know which position/s it might be present.

So, besides above one more question: will workflow always have name Workflow in it?

Since you own the data, you will have to tell us the pattern/s of data so that we can help you with regex. Unfortunately it can not be the other way around. Hope you understand.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

DataOrg
Builder
‎09-05-2017 04:16 AM

yes always workflow will have the same name and only one time its present
so we have to keep workflow as base to find

0 Karma
Reply

niketn
Legend
‎09-05-2017 04:33 AM

As requested can you add few samples or events without Workflow as well?

I have added an updated query to prefix "Workflow: " for workflow or set as "N/A" otherwise. Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

DataOrg
Builder
‎09-05-2017 04:48 AM

below are the samples
DOSTART||TECH||()--()||Error while other 'sequence', set 'sink' at step 'SWIfkdslTCH ON ?'.() -- Method 'help' of answered 'O

An occurred in service 'sequence' Order failed (incifdffdsdent is on time to check()

An err occurred in service |TECH|PARs||STCK|Workflow: automated||promots|physical

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...