Solved: Regex to match string between 2 strings?

sasank · ‎01-11-2023

Hi,

I have below splunk command:

| makeresults
| eval _raw="The first value is 0.00 and The second value is 0\",\"origin\":\"rep\",\"source_instance\":\"0\""
| rex "The\sfirst\svalue\sis (?<from>.*) and\sThe\ssecond\svalue\sis (?<to>.*)"

This shows the "from" field as 0.00 and "to" field as 0","origin":"rep","source_instance":"0"

In the "to" field I only want the value 0. How do I achieve that?

PaulPanther · ‎01-11-2023

@sasank Test your regex in a regex editor like

https://regex101.com/r/1oqLAF/3

If you follow the link you will find your test string and a regex that you can use to match the correct values.

View solution in original post

sasank · ‎01-11-2023

Thanks for the link. I couldn't figure out how to match the 2nd value so I am looking if someone can help in fixing the regex

PaulPanther · ‎01-11-2023

@sasank

| makeresults
| eval _raw="The first value is 0.00 and The second value is 0\",\"origin\":\"rep\",\"source_instance\":\"0\""
| rex "The\sfirst\svalue\sis (?<from>[^\s]+).+?(?<to>\d)"

PaulPanther · ‎01-11-2023

@sasank Test your regex in a regex editor like

https://regex101.com/r/1oqLAF/3

If you follow the link you will find your test string and a regex that you can use to match the correct values.

Regex to match string between 2 strings?

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation