Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regular Expression to extract the below values

aswin_asok
Explorer
‎12-06-2019 03:32 AM

Hi, One of my value in table is being passed as an Boolean expression as below

(assignment_group = 1213App_Development1 OR assignment_group = App-Testing OR assignment_group = App Support OR assignment_group = App:Support OR assignment_group = App&$+*Support assignment_group = AppSupport)

I'm trying to use the | makemv tokenizer= to make the above to be extracted as multivalues as below

1213App_Developmen1
App-Testing
App Support
App:Support
App&$+*Support
AppSupport

And then use mxexpand to appy other table values to the expanded fields.

Can anyone help me with the Regex to do so.

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-06-2019 04:16 PM

Like this:

|makeresults 
|  eval _raw="(assignment_group = 1213App_Development1 OR assignment_group = App-Testing OR assignment_group = App Support OR assignment_group = App:Support OR assignment_group = App&$+*Support assignment_group = AppSupport)"
| rex max_match=0 "assignment_group\s*=\s*(?<assignment_group>[^\s\)]+)"

Avoid the use of mvexpand; it does not scale well and will cause false results. All of the *stats commands are multivalue-aware and will do the right thing so just leave it as multivalue.

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎12-06-2019 04:16 PM

Like this:

|makeresults 
|  eval _raw="(assignment_group = 1213App_Development1 OR assignment_group = App-Testing OR assignment_group = App Support OR assignment_group = App:Support OR assignment_group = App&$+*Support assignment_group = AppSupport)"
| rex max_match=0 "assignment_group\s*=\s*(?<assignment_group>[^\s\)]+)"

Avoid the use of mvexpand; it does not scale well and will cause false results. All of the *stats commands are multivalue-aware and will do the right thing so just leave it as multivalue.

Reply
Solved! Jump to solution

aswin_asok
Explorer
‎12-08-2019 10:20 PM

Many Thanks @woodcock , extraction is working as expected expect if there is a white space between the values.. included am additional \s.

| rex max_match=0 "assignment_group\s*=\s*(?\s[^OR)]+)"

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-06-2019 05:44 AM

Try assignment_group\s=\s([^\s]+).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎12-06-2019 05:39 AM

Hi @aswin_asok,
please try this regex:

| rex "assignment_group = (?<assignment_group>[^OR]*)"

that you can test at https://regex101.com/r/uKxTe4/1

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

aswin_asok
Explorer
‎12-09-2019 12:50 AM

Hi @gcusello

Have tried the below,

| rex max_match=0 "assignment_group\s*=\s*(?\s[^OR)]+)"

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...