Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex to capture values

xvxt006
Contributor
‎09-27-2015 03:21 PM

Hi,

I have events like below. I need to extract 4EU56, 4YB2. the number of lines between statictext and Y-EER-RTY would vary.
Sometimes I might not have anything, sometimes they could be 10, and sometimes they could be some other number.
In the example below, I gave 2. So how can I get all of them between, and | for all of them till Y-EER-RTY?

statictext
,4EU56|1|1|456|anotherstatictext
,4YB2|1|1|946|200930||||S_NW|anotherstatictext
 Y-EER-RTY
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎09-27-2015 03:32 PM

Hi xvxt006,

based on the provided example you can use this regex:

base search here | rex max_match=0 "^,(?<myField>[^|]*)" | table myField

This will get everything between all lines starting with , until the next |

Update:

based on the comments below, this is the correct answer

Okay, try this regex it will use shippingResponse= or , which is not followed by a ] as left boundary and the next | as right

 (?:shippingResponse=|,)(?!\])(?<myField>[^\|]+)

Works on regex101.com with your provided examples and returns the following matches:

 MATCH 1
 myField    [94-100]    `12R071`
 MATCH 2
 myField    [159-165]    `12R095`
 MATCH 3
 myField    [224-230]    `12R090`
 MATCH 4
 myField    [289-295]    `12R078`

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎09-27-2015 03:32 PM

Hi xvxt006,

based on the provided example you can use this regex:

base search here | rex max_match=0 "^,(?<myField>[^|]*)" | table myField

This will get everything between all lines starting with , until the next |

Update:

based on the comments below, this is the correct answer

Okay, try this regex it will use shippingResponse= or , which is not followed by a ] as left boundary and the next | as right

 (?:shippingResponse=|,)(?!\])(?<myField>[^\|]+)

Works on regex101.com with your provided examples and returns the following matches:

 MATCH 1
 myField    [94-100]    `12R071`
 MATCH 2
 myField    [159-165]    `12R095`
 MATCH 3
 myField    [224-230]    `12R090`
 MATCH 4
 myField    [289-295]    `12R078`

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

xvxt006
Contributor
‎09-28-2015 06:30 AM

Thank you. This gives me an idea on how to tackle some other scenarios. Can you make this as Answer. don't have permissions to do that..

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-28-2015 12:32 PM

update ping; modified the answer to be correct now

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎09-27-2015 08:54 PM

Basically i am looking for shippingResponse= or , as left boundaries and | as the right boundary. That would give me
12R071,12R095,12R090,12R078

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-28-2015 01:21 AM

Okay, try this regex it will use shippingResponse= or , which is not followed by a ] as left boundary and the next | as right 

(?:shippingResponse=|,)(?!\])(?<myField>[^\|]+)

Works on regex101.com with your provided examples and returns the following matches:

MATCH 1
myField [94-100]    `12R071`
MATCH 2
myField [159-165]   `12R095`
MATCH 3
myField [224-230]   `12R090`
MATCH 4
myField [289-295]   `12R078`
0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎09-27-2015 08:29 PM

Hi Michael,

this gives better results but still there is unwanted text. Just trying to understand what you wrote in that expression.
Does this (?!,])[=,] mean that either either "=" or "," cannot not be preceeded by "," or "]"

is there an email i can send you what i am seeing?

0 Karma
Reply
Solved! Jump to solution

xvxt006
Contributor
‎09-27-2015 07:54 PM

Hi MuS, static test i mentioned has "," in it. So that won't work.

Here is more realistic example of the event. I need 12R095,12R090,12R078

|ItemBranch:|FulfillingBranch:|S|Line#:|GenMessage:Y|ShipMode:GR|ShipDate:,] shippingResponse=12R071|1|1|005|20150930||||S_NW|standard.ship.stocked.available
,12R095|1|1|002|20150929||||S_NW|standard.ship.stocked.available
,12R090|1|1|003|20151001||||S_NW|standard.ship.stocked.available
,12R078|1|1|005|20150930||||S_NW|standard.ship.stocked.available
Y-EER-RTY

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-27-2015 08:05 PM

Try this :

base search here | rex max_match=0 "(?!,\])[=,](?<myField>[^|]*)" | table myField
0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...