Splunk Search

Regular Expression (RegEX) Extracting Field from String Contains

nissanse98
Explorer

Hi,

I'm trying to extract the third comma deliminated column with the string "ABC" in it.

example data:

QWE ALL,06/12/2014 15:36:14,0.9678687876
QW,06/12/2014 15:36:12,0.5645564664
ERM,06/12/2014 15:36:11,0.3424234242
MJK,06/12/2014 15:36:10,0.2342344342
ABC PLD01234; THIS IS TEST MESSAGE FROM PLD01234 FOR MACHINE ABB231,06/12/2014 15:36:09,0.654354326
ABC PLDS; THIS IS TEST ,06/12/2014 15:36:07,3.564647835
FGH FG456,06/12/2014 15:36:06,0.543574354

I need the expression to extract 0.654354326 and 3.564647835.

I was trying (^|)ABC |$)[^ \n]* \d+:\d+:\d+,(?P<FIELDNAME>.+) but have not had any luck. Any ideas?

Tags (2)
1 Solution

lguinn2
Legend

You can have multiple REGEXes for the same field - Splunk does not require that you combine them. Just do this in props.conf

[mysourcetype]
EXTRACT-e1 = (^S ).*?\,.*?\,(?P<myfield>.+)
EXTRACT-e2 = (^S,).*?\,(?P<myfield>.+)

Notice that both lines have the same field name. You could add a third if you want, etc.

I would probably put this in $SPLUNK_HOME/etc/apps/search/local/props.conf

View solution in original post

lguinn2
Legend

You can have multiple REGEXes for the same field - Splunk does not require that you combine them. Just do this in props.conf

[mysourcetype]
EXTRACT-e1 = (^S ).*?\,.*?\,(?P<myfield>.+)
EXTRACT-e2 = (^S,).*?\,(?P<myfield>.+)

Notice that both lines have the same field name. You could add a third if you want, etc.

I would probably put this in $SPLUNK_HOME/etc/apps/search/local/props.conf

nissanse98
Explorer

Thanks! That helps out a lot!

I had to use the props.conf in this directory to work:
\etc\users\admin\"appname"\local

Thanks for the help

lguinn2
Legend

You could do this

.*?\,.*?\,(?P<FIELDNAME>\d+\.\d+)

and I think it would work

nissanse98
Explorer

This works for S with space

(^S ).*?\,.*?\,(?P<FIELDNAME>.+)

This works for S with comma

(^S,).*?\,(?P<FIELDNAME>.+)

Attempts to combine the expression......

((^S ).*?\,.*?\,)|((^S,).*?\,)(?P<FIELDNAME>.+)

Returns: AttributeError: 'NoneType' object has no attribute 'replace'

and

((^S ).*?\,.*?\,)(?P<FIELDNAME>.+)|((^S,).*?\,)(?P<FIELDNAME>.+)

Returns:Invalid regex: redefinition of group name u'FIELDNAME' as group 6; was group 3

I feel I'm close but am missing something. Appreciate any help! Thank you! 🙂

0 Karma

nissanse98
Explorer

Hi lguinn,

Thank you for your response; that helped me out a lot! However, the data I'm attempting to parse has some complications. There are additional fields to the example data above. I need a string that can determine difference between:

S,date,0.2343432
S #random words,date,0.3423423
SRS,date,0.4353453
SRS #random words,date,0.453453
I need an expression that gather the string that starts with "S," OR "S " (space)

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...