Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Regular Expression (RegEX) Extracting Field fr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to extract the third comma deliminated column with the string "ABC" in it.
example data:
QWE ALL,06/12/2014 15:36:14,0.9678687876
QW,06/12/2014 15:36:12,0.5645564664
ERM,06/12/2014 15:36:11,0.3424234242
MJK,06/12/2014 15:36:10,0.2342344342
ABC PLD01234; THIS IS TEST MESSAGE FROM PLD01234 FOR MACHINE ABB231,06/12/2014 15:36:09,0.654354326
ABC PLDS; THIS IS TEST ,06/12/2014 15:36:07,3.564647835
FGH FG456,06/12/2014 15:36:06,0.543574354
I need the expression to extract 0.654354326 and 3.564647835.
I was trying (^|)ABC |$)[^ \n]* \d+:\d+:\d+,(?P<FIELDNAME>.+) but have not had any luck. Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can have multiple REGEXes for the same field - Splunk does not require that you combine them. Just do this in props.conf
[mysourcetype]
EXTRACT-e1 = (^S ).*?\,.*?\,(?P<myfield>.+)
EXTRACT-e2 = (^S,).*?\,(?P<myfield>.+)
Notice that both lines have the same field name. You could add a third if you want, etc.
I would probably put this in $SPLUNK_HOME/etc/apps/search/local/props.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can have multiple REGEXes for the same field - Splunk does not require that you combine them. Just do this in props.conf
[mysourcetype]
EXTRACT-e1 = (^S ).*?\,.*?\,(?P<myfield>.+)
EXTRACT-e2 = (^S,).*?\,(?P<myfield>.+)
Notice that both lines have the same field name. You could add a third if you want, etc.
I would probably put this in $SPLUNK_HOME/etc/apps/search/local/props.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! That helps out a lot!
I had to use the props.conf in this directory to work:
\etc\users\admin\"appname"\local
Thanks for the help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could do this
.*?\,.*?\,(?P<FIELDNAME>\d+\.\d+)
and I think it would work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works for S with space
(^S ).*?\,.*?\,(?P<FIELDNAME>.+)
This works for S with comma
(^S,).*?\,(?P<FIELDNAME>.+)
Attempts to combine the expression......
((^S ).*?\,.*?\,)|((^S,).*?\,)(?P<FIELDNAME>.+)
Returns: AttributeError: 'NoneType' object has no attribute 'replace'
and
((^S ).*?\,.*?\,)(?P<FIELDNAME>.+)|((^S,).*?\,)(?P<FIELDNAME>.+)
Returns:Invalid regex: redefinition of group name u'FIELDNAME' as group 6; was group 3
I feel I'm close but am missing something. Appreciate any help! Thank you! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lguinn,
Thank you for your response; that helped me out a lot! However, the data I'm attempting to parse has some complications. There are additional fields to the example data above. I need a string that can determine difference between:
S,date,0.2343432
S #random words,date,0.3423423
SRS,date,0.4353453
SRS #random words,date,0.453453
I need an expression that gather the string that starts with "S," OR "S " (space)
Data Management Digest – December 2025
Index This | What is broken 80% of the time by February?
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
