I'm trying to extract the third comma deliminated column with the string "ABC" in it.
QWE ALL,06/12/2014 15:36:14,0.9678687876 QW,06/12/2014 15:36:12,0.5645564664 ERM,06/12/2014 15:36:11,0.3424234242 MJK,06/12/2014 15:36:10,0.2342344342 ABC PLD01234; THIS IS TEST MESSAGE FROM PLD01234 FOR MACHINE ABB231,06/12/2014 15:36:09,0.654354326 ABC PLDS; THIS IS TEST ,06/12/2014 15:36:07,3.564647835 FGH FG456,06/12/2014 15:36:06,0.543574354
I need the expression to extract 0.654354326 and 3.564647835.
I was trying
(^|)ABC |$)[^ \n]* \d+:\d+:\d+,(?P<FIELDNAME>.+) but have not had any luck. Any ideas?
Thank you for your response; that helped me out a lot! However, the data I'm attempting to parse has some complications. There are additional fields to the example data above. I need a string that can determine difference between:
S #random words,date,0.3423423
SRS #random words,date,0.453453
I need an expression that gather the string that starts with "S," OR "S " (space)
This works for S with space
This works for S with comma
Attempts to combine the expression......
Returns: AttributeError: 'NoneType' object has no attribute 'replace'
Returns:Invalid regex: redefinition of group name u'FIELDNAME' as group 6; was group 3
I feel I'm close but am missing something. Appreciate any help! Thank you! 🙂
You can have multiple REGEXes for the same field - Splunk does not require that you combine them. Just do this in props.conf
[mysourcetype] EXTRACT-e1 = (^S ).*?\,.*?\,(?P<myfield>.+) EXTRACT-e2 = (^S,).*?\,(?P<myfield>.+)
Notice that both lines have the same field name. You could add a third if you want, etc.
I would probably put this in
Thanks! That helps out a lot!
I had to use the props.conf in this directory to work:
Thanks for the help