Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex to extract information in specific field

kirangurram
Explorer
‎05-02-2019 09:39 AM

Dear Experts ,
Need experts advice to extract "ABC6_IN_S14093456789" from below information which is available in field. I think Regex could be used to extract that filed. your help is appreciated.

 <Hdr Id="[ABC6_IN_S14093456789]-a411655e-069c-4ce5-b2d1-b0c22f54c4a3" Ver="0.001" Dtm="2019-05-02T15:59:55Z" TmOff="-07:00" />
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-02-2019 11:50 AM

Please try below . (The logic is to say greedily collect all characters until it finds ]

Id=\"\[(?P<my_id>[^\]]+)\]

Demo in Regex101

So in Splunk it would be (assuming _raw is your event)

 | rex "Id=\"\[(?<my_id>[^\]]+)\]"

View solution in original post

Reply
Solved! Jump to solution

kirangurram
Explorer
‎05-02-2019 06:34 PM

thanks mate @koshyk. your answer served my purpose.

0 Karma
Reply
Solved! Jump to solution
Solution

koshyk
Super Champion
‎05-02-2019 11:50 AM

Please try below . (The logic is to say greedily collect all characters until it finds ]

Id=\"\[(?P<my_id>[^\]]+)\]

Demo in Regex101

So in Splunk it would be (assuming _raw is your event)

 | rex "Id=\"\[(?<my_id>[^\]]+)\]"
Reply
Solved! Jump to solution

lakromani
Builder
‎05-02-2019 10:19 PM

In Splunk P is not needed, so can write:

  | rex "Id=\"\[(?<my_id>[^\]]+)\]"

I think ] does not need to be escaped between [], so this should also work 

  | rex "Id=\"\[(?<my_id>[^]]+)\]"
0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎05-02-2019 09:49 AM

Hi

Give a try

| makeresults 
| eval msg="<Hdr Id=\"[ABC6_IN_S14093456789]-a411655e-069c-4ce5-b2d1-b0c22f54c4a3\" Ver=\"0.001\" Dtm=\"2019-05-02T15:59:55Z\" TmOff=\"-07:00\" />" 
| rex field=msg "Id\=\"\[(?P<id>\w+)\]"
0 Karma
Reply
Solved! Jump to solution

kirangurram
Explorer
‎05-02-2019 10:22 AM

thanks @vnravikumar . it works for some of the filed. it didnt work for the below sample.

from the below sample , I want to extract "android-2203920248ea8f16"

<Hdr Id="[android-2203920248ea8f16]-d451c5a7-e8e8-470a-93e8-f2c576c3507b" Ver="0.001" Dtm="2019-05-02T15:59:52Z" TmOff="-05:00" />
0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎05-02-2019 10:57 AM

Hi

Try this rex

Id\=\"\[(?P<id>)[\w-]+\]
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...