I have a test field in a CSV called description:
Completed changes are not shown as complete in channels for a while Actualstart: 2017-05-15 06:40:34
I want to extract everything from the start of the string until I encounter Actualstart.
I do not know how long the sub string before Actualstart is going to be , but I need to extract from start until Actualstart is reached.
Hi Sukisen1981,
try something like this
your_search
| rex "^(?<string>.*)Actualstart"
| ...
Bye.
Giuseppe
Hi Sukisen1981,
try something like this
your_search
| rex "^(?<string>.*)Actualstart"
| ...
Bye.
Giuseppe
nope Giuseppe ..doesn't work ..tried that before as well..BTW what does your rex mean? are you tying to extract FROM the description field or in general and i tied both options without luck.
I tried it on regex101.com and it runs (see https://regex101.com/r/G6sRG9/1), could you share an example to test it again?
Anyway my regex says to take in "String" field all the chars from the beginning of the row until the word "Actualstart".
Bye.
Giuseppe
tomec error on mos order 4006, location is ok, but numberseries 24034800-4899 = 100 numbers has failed towards tomec.
Actual start: 2017-09-08 11:54:46
Business impact:
here is a sample the description field. Now, the issue is not because of Actual start vs Actualstart...I had removed \s+ from description. Is it because of the space between the text and Actual Start?
Hi
The problem is the multi line, try this regex:
| rex "(?ms)^(?<string>.*)\s+Actual start"
and test it at https://regex101.com/r/G6sRG9/2
Bye.
Giuseppe
Hi,
It works now! thanks a lot . I had forgotten although in splunk it looks like there are no gaps, the description field is indeed multi lined.
Many thanks once again , I am accepting the answer
This should do it.
... | rex field=description "(?<string>.*?)Actualstart" | ...
I tried that before, does not work. This is very simple and I have done more complex regex but this very obvious rex returns empty values for string...
The regex works fine on regex101.com. Can you share a complete event and your full query? Are you sure there is a field called 'description'?
tomec error on mos order 4006, location is ok, but numberseries 24034800-4899 = 100 numbers has failed towards tomec.
Actual start: 2017-09-08 11:54:46
Business impact:
here is a sample the description field. Now, the issue is not because of Actual start vs Actualstart...I had removed \s+ from description. Is it because of the space between the text and Actual Start?