Solved: Re: Regular Expression (RegEX) Extracting Field fr...

nissanse98 · ‎06-12-2014

Hi,

I'm trying to extract the third comma deliminated column with the string "ABC" in it.

example data:

QWE ALL,06/12/2014 15:36:14,0.9678687876
QW,06/12/2014 15:36:12,0.5645564664
ERM,06/12/2014 15:36:11,0.3424234242
MJK,06/12/2014 15:36:10,0.2342344342
ABC PLD01234; THIS IS TEST MESSAGE FROM PLD01234 FOR MACHINE ABB231,06/12/2014 15:36:09,0.654354326
ABC PLDS; THIS IS TEST ,06/12/2014 15:36:07,3.564647835
FGH FG456,06/12/2014 15:36:06,0.543574354

I need the expression to extract 0.654354326 and 3.564647835.

I was trying (^|)ABC |$)[^ \n]* \d+:\d+:\d+,(?P<FIELDNAME>.+) but have not had any luck. Any ideas?

lguinn2 · ‎06-14-2014

You can have multiple REGEXes for the same field - Splunk does not require that you combine them. Just do this in props.conf

[mysourcetype]
EXTRACT-e1 = (^S ).*?\,.*?\,(?P<myfield>.+)
EXTRACT-e2 = (^S,).*?\,(?P<myfield>.+)

Notice that both lines have the same field name. You could add a third if you want, etc.

I would probably put this in $SPLUNK_HOME/etc/apps/search/local/props.conf

View solution in original post

lguinn2 · ‎06-14-2014

You can have multiple REGEXes for the same field - Splunk does not require that you combine them. Just do this in props.conf

[mysourcetype]
EXTRACT-e1 = (^S ).*?\,.*?\,(?P<myfield>.+)
EXTRACT-e2 = (^S,).*?\,(?P<myfield>.+)

Notice that both lines have the same field name. You could add a third if you want, etc.

I would probably put this in $SPLUNK_HOME/etc/apps/search/local/props.conf

nissanse98 · ‎06-14-2014

Thanks! That helps out a lot!

I had to use the props.conf in this directory to work:
\etc\users\admin\"appname"\local

Thanks for the help

lguinn2 · ‎06-12-2014

You could do this

.*?\,.*?\,(?P<FIELDNAME>\d+\.\d+)

and I think it would work

nissanse98 · ‎06-14-2014

This works for S with space

(^S ).*?\,.*?\,(?P<FIELDNAME>.+)

This works for S with comma

(^S,).*?\,(?P<FIELDNAME>.+)

Attempts to combine the expression......

((^S ).*?\,.*?\,)|((^S,).*?\,)(?P<FIELDNAME>.+)

Returns: AttributeError: 'NoneType' object has no attribute 'replace'

and

((^S ).*?\,.*?\,)(?P<FIELDNAME>.+)|((^S,).*?\,)(?P<FIELDNAME>.+)

Returns:Invalid regex: redefinition of group name u'FIELDNAME' as group 6; was group 3

I feel I'm close but am missing something. Appreciate any help! Thank you! 🙂

nissanse98 · ‎06-14-2014

Hi lguinn,

Thank you for your response; that helped me out a lot! However, the data I'm attempting to parse has some complications. There are additional fields to the example data above. I need a string that can determine difference between:

S,date,0.2343432
S #random words,date,0.3423423
SRS,date,0.4353453
SRS #random words,date,0.453453
I need an expression that gather the string that starts with "S," OR "S " (space)

Regular Expression (RegEX) Extracting Field from String Contains

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation