Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regular Expression to extract the below values

aswin_asok
Explorer
‎12-06-2019 03:32 AM

Hi, One of my value in table is being passed as an Boolean expression as below

(assignment_group = 1213App_Development1 OR assignment_group = App-Testing OR assignment_group = App Support OR assignment_group = App:Support OR assignment_group = App&$+*Support assignment_group = AppSupport)

I'm trying to use the | makemv tokenizer= to make the above to be extracted as multivalues as below

1213App_Developmen1
App-Testing
App Support
App:Support
App&$+*Support
AppSupport

And then use mxexpand to appy other table values to the expanded fields.

Can anyone help me with the Regex to do so.

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-06-2019 04:16 PM

Like this:

|makeresults 
|  eval _raw="(assignment_group = 1213App_Development1 OR assignment_group = App-Testing OR assignment_group = App Support OR assignment_group = App:Support OR assignment_group = App&$+*Support assignment_group = AppSupport)"
| rex max_match=0 "assignment_group\s*=\s*(?<assignment_group>[^\s\)]+)"

Avoid the use of mvexpand; it does not scale well and will cause false results. All of the *stats commands are multivalue-aware and will do the right thing so just leave it as multivalue.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-06-2019 04:16 PM

Like this:

|makeresults 
|  eval _raw="(assignment_group = 1213App_Development1 OR assignment_group = App-Testing OR assignment_group = App Support OR assignment_group = App:Support OR assignment_group = App&$+*Support assignment_group = AppSupport)"
| rex max_match=0 "assignment_group\s*=\s*(?<assignment_group>[^\s\)]+)"

Avoid the use of mvexpand; it does not scale well and will cause false results. All of the *stats commands are multivalue-aware and will do the right thing so just leave it as multivalue.

Reply
Solved! Jump to solution

aswin_asok
Explorer
‎12-08-2019 10:20 PM

Many Thanks @woodcock , extraction is working as expected expect if there is a white space between the values.. included am additional \s.

| rex max_match=0 "assignment_group\s*=\s*(?\s[^OR)]+)"

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2019 05:44 AM

Try assignment_group\s=\s([^\s]+).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-06-2019 05:39 AM

Hi @aswin_asok,
please try this regex:

| rex "assignment_group = (?<assignment_group>[^OR]*)"

that you can test at https://regex101.com/r/uKxTe4/1

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

aswin_asok
Explorer
‎12-09-2019 12:50 AM

Hi @gcusello

Have tried the below,

| rex max_match=0 "assignment_group\s*=\s*(?\s[^OR)]+)"

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...