Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex formatting trouble

MikeB
Path Finder
‎10-06-2021 03:53 PM

Hello again Spelunkers! 

So I have data that looks like this:

assessment=normal [1.0]
assessment=normal [1.1]
assessment=suspect [0.75]
assessment=suspect [0.88]
assessment=bad [0.467]


I want a table column named rating that takes the "normal," "suspect," "bad" without the [###] after it. So I wrote the below thinking I can name the column rating and then capture any alpha characters and terminate at the white space between the word value and the [###] value. What would be the correct way of writing this? Thank you in advance!

 

| rex field=raw_ "assessment=(?<rating>/\w/\s)"

 



Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

danielcj
Path Finder
‎10-06-2021 10:45 PM

Hi,

 

Please, try the following:

| rex field=_raw "assessment=(?<rating>\S+)"



View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

danielcj
Path Finder
‎10-06-2021 10:45 PM

Hi,

 

Please, try the following:

| rex field=_raw "assessment=(?<rating>\S+)"



0 Karma
Reply
Solved! Jump to solution

MikeB
Path Finder
‎10-07-2021 09:36 AM

Thank you! This worked perfectly. 

0 Karma
Reply
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...