Splunk Search

Regex to extract from start until a specific character

Sukisen1981
Champion

I have a test field in a CSV called description:
Completed changes are not shown as complete in channels for a while Actualstart: 2017-05-15 06:40:34
I want to extract everything from the start of the string until I encounter Actualstart.
I do not know how long the sub string before Actualstart is going to be , but I need to extract from start until Actualstart is reached.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Sukisen1981,
try something like this

your_search
| rex "^(?<string>.*)Actualstart"
| ...

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Sukisen1981,
try something like this

your_search
| rex "^(?<string>.*)Actualstart"
| ...

Bye.
Giuseppe

0 Karma

Sukisen1981
Champion

nope Giuseppe ..doesn't work ..tried that before as well..BTW what does your rex mean? are you tying to extract FROM the description field or in general and i tied both options without luck.

0 Karma

gcusello
SplunkTrust
SplunkTrust

I tried it on regex101.com and it runs (see https://regex101.com/r/G6sRG9/1), could you share an example to test it again?
Anyway my regex says to take in "String" field all the chars from the beginning of the row until the word "Actualstart".
Bye.
Giuseppe

0 Karma

Sukisen1981
Champion

tomec error on mos order 4006, location is ok, but numberseries 24034800-4899 = 100 numbers has failed towards tomec.

Actual start: 2017-09-08 11:54:46

Business impact:

? Customers 100000 numbers is Down no Calls in or out.

here is a sample the description field. Now, the issue is not because of Actual start vs Actualstart...I had removed \s+ from description. Is it because of the space between the text and Actual Start?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi
The problem is the multi line, try this regex:

| rex "(?ms)^(?<string>.*)\s+Actual start"

and test it at https://regex101.com/r/G6sRG9/2
Bye.
Giuseppe

Sukisen1981
Champion

Hi,

It works now! thanks a lot . I had forgotten although in splunk it looks like there are no gaps, the description field is indeed multi lined.

Many thanks once again , I am accepting the answer

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This should do it.

... | rex field=description "(?<string>.*?)Actualstart" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

Sukisen1981
Champion

I tried that before, does not work. This is very simple and I have done more complex regex but this very obvious rex returns empty values for string...

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The regex works fine on regex101.com. Can you share a complete event and your full query? Are you sure there is a field called 'description'?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Sukisen1981
Champion

tomec error on mos order 4006, location is ok, but numberseries 24034800-4899 = 100 numbers has failed towards tomec.

Actual start: 2017-09-08 11:54:46

Business impact:

? Customers 100000 numbers is Down no Calls in or out.

here is a sample the description field. Now, the issue is not because of Actual start vs Actualstart...I had removed \s+ from description. Is it because of the space between the text and Actual Start?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...