Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex in query

jacqu3sy
Path Finder
‎10-14-2017 08:38 AM

Hi,

Can anyone help with a regex to extract into a new field anything contained within raw data after a #?

For example, the following data from twitter;

opIcarus #opBlackOctober #opSacred #opMASSHACK ENGAGED https://t.co/JiWVA4kOXr

I'd like a way to extract and list all the content after each hash.

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎10-14-2017 04:43 PM

I think this should do what you're looking for:
rex max_match=0 field=_raw \#(?<extracted_field>[^\# ]*)
The keys here are the max_match argument, which tells rex to not stop at the first match, and also a slight modification to the regex that @cusello suggested (by adding a space to the ignored characters). Without that modification, I believe you will get erroneous matches.

Note that the max_match argument defaults to the value of 1. Setting it to 0 makes it unlimited, but you could set it to some other specific value if you only wanted to match a certain number of instances. Here is some info in the docs:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Rex

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-15-2017 01:04 AM

Hi jacqu3sy,
try 

| rex max_match=0 "\#(?<my_field>[^\#]*)"

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎10-14-2017 04:43 PM

I think this should do what you're looking for:
rex max_match=0 field=_raw \#(?<extracted_field>[^\# ]*)
The keys here are the max_match argument, which tells rex to not stop at the first match, and also a slight modification to the regex that @cusello suggested (by adding a space to the ignored characters). Without that modification, I believe you will get erroneous matches.

Note that the max_match argument defaults to the value of 1. Setting it to 0 makes it unlimited, but you could set it to some other specific value if you only wanted to match a certain number of instances. Here is some info in the docs:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Rex

0 Karma
Reply
Solved! Jump to solution

jacqu3sy
Path Finder
‎10-15-2017 02:46 AM

Perfect - thank you for the detailed response. It's much appreciated.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-14-2017 08:51 AM

Hi jacqu3sy,
try this regex

\#(?<my_field>[^\#]*)

you can test it at https://regex101.com/r/Sk52x3/1

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

jacqu3sy
Path Finder
‎10-14-2017 10:18 AM

Not quite. It pulls out the first #hashtag within the _raw field, but ignores the others. So in the example above, it would extract #opBlackOctober, but ignore the others.

Is there a way of extracting all? Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
Top