Splunk Search

Regex help

DataOrg
Builder
CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: threat call workplace||ATdT|||AC1CSED
CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: workplace management||ATdT|||AC1CSED

I want only from Workflow to first pipe present " from the above text and i want to select from starting workflow and it should end in pipe symboll

0 Karma

DalJeanis
Legend

Try this...

| rex "|(<workflow>Workflow: [^|]*)|" 
0 Karma

niketn
Legend

@premranjithj, can you please try the following and confirm?

rex field=_raw "\|Workflow: (?<Workflow>[^\|]+)\|"
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

DataOrg
Builder

@niketnilay its worked. but i want from workflow name also. how to get it.

other rows doesn't have word workflow which we are looking. so if that row doesnt have word workflow. i want dont want that row to have other text . i want as empty or NA. pls help

0 Karma

niketn
Legend

Is following query what you need?

| rex field=_raw "\|Workflow: (?<Workflow>[^\|]+)\|"
| eval Workflow=case(searchmatch("|Workflow: "),"Workflow: ".Workflow, true(),"N/A")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DataOrg
Builder

| eval Workflow=case(searchmatch("|Workflow: "),"Workflow: ".Workflow, true(),"N/A")
this statement nt working

0 Karma

niketn
Legend

I tried following run anywhere search which worked fine. I just cooked up one event without Workflow:

|  makeresults
|  eval data="CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: threat call workplace||ATdT|||AC1CSED;CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK| threat call workplace||ATdT|||AC1CSED;CCDSRiERRSTAFGRT||FUNC||u505||PA1RA2M||STCK|Workflow: workplace management||ATdT|||AC1CSED"
|  eval data=split(data,";")
|  mvexpand data
|  rename data as _raw
|  rex field=_raw "\|Workflow: (?<Workflow>[^\|]+)\|"
|  eval Workflow=case(searchmatch("|Workflow: "),"Workflow: ".Workflow, true(),"N/A")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

@premranjithj, can you add samples of rows without workflow.

What is STCK? What kind of values can i have?

Or else can you confirm whether it is always the 9th pipe (|) that will have Workflow name? In that case you can use

| eval data=split(_raw,"|")
| eval workflow=mvindex(data,9)
| eval workflow=case(match(workflow,"Workflow"),workflow,"N/A")

In fact you should take care of this while ingesting the data and index it with Delimited String (Pipe Separated Value) so that all fields are already extracted during search time field discovery.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DataOrg
Builder

hi @niketnilay it will not be always be 9th pipe that will have workflow.

0 Karma

niketn
Legend

@premranjithj, then you would definitely need to add more samples. Even for regular expression you would need to know before or after pattern.

For using delimeter you would need to know which position/s it might be present.

So, besides above one more question: will workflow always have name Workflow in it?

Since you own the data, you will have to tell us the pattern/s of data so that we can help you with regex. Unfortunately it can not be the other way around. Hope you understand.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DataOrg
Builder

yes always workflow will have the same name and only one time its present
so we have to keep workflow as base to find

0 Karma

niketn
Legend

As requested can you add few samples or events without Workflow as well?

I have added an updated query to prefix "Workflow: " for workflow or set as "N/A" otherwise. Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

DataOrg
Builder

below are the samples
DOSTART||TECH||()--()||Error while other 'sequence', set 'sink' at step 'SWIfkdslTCH ON ?'.() -- Method 'help' of answered 'O

An occurred in service 'sequence' Order failed (incifdffdsdent is on time to check()

An err occurred in service |TECH|PARs||STCK|Workflow: automated||promots|physical

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...