Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Regex in query

jacqu3sy
Path Finder
‎10-14-2017 08:38 AM

Hi,

Can anyone help with a regex to extract into a new field anything contained within raw data after a #?

For example, the following data from twitter;

opIcarus #opBlackOctober #opSacred #opMASSHACK ENGAGED https://t.co/JiWVA4kOXr

I'd like a way to extract and list all the content after each hash.

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎10-14-2017 04:43 PM

I think this should do what you're looking for:
rex max_match=0 field=_raw \#(?<extracted_field>[^\# ]*)
The keys here are the max_match argument, which tells rex to not stop at the first match, and also a slight modification to the regex that @cusello suggested (by adding a space to the ignored characters). Without that modification, I believe you will get erroneous matches.

Note that the max_match argument defaults to the value of 1. Setting it to 0 makes it unlimited, but you could set it to some other specific value if you only wanted to match a certain number of instances. Here is some info in the docs:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Rex

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-15-2017 01:04 AM

Hi jacqu3sy,
try 

| rex max_match=0 "\#(?<my_field>[^\#]*)"

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎10-14-2017 04:43 PM

I think this should do what you're looking for:
rex max_match=0 field=_raw \#(?<extracted_field>[^\# ]*)
The keys here are the max_match argument, which tells rex to not stop at the first match, and also a slight modification to the regex that @cusello suggested (by adding a space to the ignored characters). Without that modification, I believe you will get erroneous matches.

Note that the max_match argument defaults to the value of 1. Setting it to 0 makes it unlimited, but you could set it to some other specific value if you only wanted to match a certain number of instances. Here is some info in the docs:
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Rex

0 Karma
Reply
Solved! Jump to solution

jacqu3sy
Path Finder
‎10-15-2017 02:46 AM

Perfect - thank you for the detailed response. It's much appreciated.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-14-2017 08:51 AM

Hi jacqu3sy,
try this regex

\#(?<my_field>[^\#]*)

you can test it at https://regex101.com/r/Sk52x3/1

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

jacqu3sy
Path Finder
‎10-14-2017 10:18 AM

Not quite. It pulls out the first #hashtag within the _raw field, but ignores the others. So in the example above, it would extract #opBlackOctober, but ignore the others.

Is there a way of extracting all? Thanks.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...