Splunk Search
Highlighted

Regular Expression (RegEX) Extracting Field from String Contains

Explorer

Hi,

I'm trying to extract the third comma deliminated column with the string "ABC" in it.

example data:

QWE ALL,06/12/2014 15:36:14,0.9678687876
QW,06/12/2014 15:36:12,0.5645564664
ERM,06/12/2014 15:36:11,0.3424234242
MJK,06/12/2014 15:36:10,0.2342344342
ABC PLD01234; THIS IS TEST MESSAGE FROM PLD01234 FOR MACHINE ABB231,06/12/2014 15:36:09,0.654354326
ABC PLDS; THIS IS TEST ,06/12/2014 15:36:07,3.564647835
FGH FG456,06/12/2014 15:36:06,0.543574354

I need the expression to extract 0.654354326 and 3.564647835.

I was trying (^|)ABC |$)[^ \n]* \d+:\d+:\d+,(?P<FIELDNAME>.+) but have not had any luck. Any ideas?

Tags (2)
Highlighted

Re: Regular Expression (RegEX) Extracting Field from String Contains

Legend

You could do this

.*?\,.*?\,(?P<FIELDNAME>\d+\.\d+)

and I think it would work

Highlighted

Re: Regular Expression (RegEX) Extracting Field from String Contains

Explorer

Hi lguinn,

Thank you for your response; that helped me out a lot! However, the data I'm attempting to parse has some complications. There are additional fields to the example data above. I need a string that can determine difference between:

S,date,0.2343432
S #random words,date,0.3423423
SRS,date,0.4353453
SRS #random words,date,0.453453
I need an expression that gather the string that starts with "S," OR "S " (space)

0 Karma
Highlighted

Re: Regular Expression (RegEX) Extracting Field from String Contains

Explorer

This works for S with space

(^S ).*?\,.*?\,(?P<FIELDNAME>.+)

This works for S with comma

(^S,).*?\,(?P<FIELDNAME>.+)

Attempts to combine the expression......

((^S ).*?\,.*?\,)|((^S,).*?\,)(?P<FIELDNAME>.+)

Returns: AttributeError: 'NoneType' object has no attribute 'replace'

and

((^S ).*?\,.*?\,)(?P<FIELDNAME>.+)|((^S,).*?\,)(?P<FIELDNAME>.+)

Returns:Invalid regex: redefinition of group name u'FIELDNAME' as group 6; was group 3

I feel I'm close but am missing something. Appreciate any help! Thank you! 🙂

0 Karma
Highlighted

Re: Regular Expression (RegEX) Extracting Field from String Contains

Legend

You can have multiple REGEXes for the same field - Splunk does not require that you combine them. Just do this in props.conf

[mysourcetype]
EXTRACT-e1 = (^S ).*?\,.*?\,(?P<myfield>.+)
EXTRACT-e2 = (^S,).*?\,(?P<myfield>.+)

Notice that both lines have the same field name. You could add a third if you want, etc.

I would probably put this in $SPLUNK_HOME/etc/apps/search/local/props.conf

View solution in original post

Highlighted

Re: Regular Expression (RegEX) Extracting Field from String Contains

Explorer

Thanks! That helps out a lot!

I had to use the props.conf in this directory to work:
\etc\users\admin\"appname"\local

Thanks for the help