- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex to extract information in specific field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Experts ,
Need experts advice to extract "ABC6_IN_S14093456789" from below information which is available in field. I think Regex could be used to extract that filed. your help is appreciated.
<Hdr Id="[ABC6_IN_S14093456789]-a411655e-069c-4ce5-b2d1-b0c22f54c4a3" Ver="0.001" Dtm="2019-05-02T15:59:55Z" TmOff="-07:00" />
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try below . (The logic is to say greedily collect all characters until it finds ]
Id=\"\[(?P<my_id>[^\]]+)\]
Demo in Regex101
So in Splunk it would be (assuming _raw is your event)
| rex "Id=\"\[(?<my_id>[^\]]+)\]"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks mate @koshyk. your answer served my purpose.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try below . (The logic is to say greedily collect all characters until it finds ]
Id=\"\[(?P<my_id>[^\]]+)\]
Demo in Regex101
So in Splunk it would be (assuming _raw is your event)
| rex "Id=\"\[(?<my_id>[^\]]+)\]"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In Splunk P is not needed, so can write:
| rex "Id=\"\[(?<my_id>[^\]]+)\]"
I think ] does not need to be escaped between [], so this should also work
| rex "Id=\"\[(?<my_id>[^]]+)\]"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Give a try
| makeresults
| eval msg="<Hdr Id=\"[ABC6_IN_S14093456789]-a411655e-069c-4ce5-b2d1-b0c22f54c4a3\" Ver=\"0.001\" Dtm=\"2019-05-02T15:59:55Z\" TmOff=\"-07:00\" />"
| rex field=msg "Id\=\"\[(?P<id>\w+)\]"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks @vnravikumar . it works for some of the filed. it didnt work for the below sample.
from the below sample , I want to extract "android-2203920248ea8f16"
<Hdr Id="[android-2203920248ea8f16]-d451c5a7-e8e8-470a-93e8-f2c576c3507b" Ver="0.001" Dtm="2019-05-02T15:59:52Z" TmOff="-05:00" />
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try this rex
Id\=\"\[(?P<id>)[\w-]+\]
Monitoring Amazon Elastic Kubernetes Service (EKS)
Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation
Explore the Latest Educational Offerings from Splunk (November Releases)
