Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex to match fields until particular string

slipinski
Path Finder
‎05-05-2020 08:31 AM

Hi,

I'm using expression: (?ms)book.(?\d{7}-\d) to extract some numbers from this input (thanks @to4kawa ) :

" new contributors: Set(book.1272473-1, book.1272472-1, book.1272477-1), removed contributors: Set(book.1271398-1, book.1271397-1)".

This gives me all 5 numbers (1272473, 1272472, 1272477, 1271398, 1271397), but I'm interested only in numbers before keyword "removed" (1272473, 1272472, 1272477). Please bear in mind, there could be from 1 to 5 strings in "new contribution" section and I would like to extract all of them.

Thanks is advance,
Szymon

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-05-2020 08:50 AM

UPDATE:
use 2 rex

| makeresults 
| eval _raw="new contributors: Set(book.1272473-1, book.1272472-1, book.1272477-1), removed contributors: Set(book.1271398-1, book.1271397-1)" 
| rex "(?<new>.*), removed" 
| rex field=new max_match=0 "(?ms)book.(?<book>\d{7}-\d)"

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎05-05-2020 08:50 AM

UPDATE:
use 2 rex

| makeresults 
| eval _raw="new contributors: Set(book.1272473-1, book.1272472-1, book.1272477-1), removed contributors: Set(book.1271398-1, book.1271397-1)" 
| rex "(?<new>.*), removed" 
| rex field=new max_match=0 "(?ms)book.(?<book>\d{7}-\d)"
Reply
Solved! Jump to solution

slipinski
Path Finder
‎05-05-2020 11:05 AM

Correct me if I'm wrong, but your query will extract fields after "removed" string and I would like to extract fields before it.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...