Solved: Re: Rex to match fields until particular string

slipinski · ‎05-05-2020

Hi,

I'm using expression: (?ms)book.(?\d{7}-\d) to extract some numbers from this input (thanks @to4kawa ) :

" new contributors: Set(book.1272473-1, book.1272472-1, book.1272477-1), removed contributors: Set(book.1271398-1, book.1271397-1)".

This gives me all 5 numbers (1272473, 1272472, 1272477, 1271398, 1271397), but I'm interested only in numbers before keyword "removed" (1272473, 1272472, 1272477). Please bear in mind, there could be from 1 to 5 strings in "new contribution" section and I would like to extract all of them.

Thanks is advance,
Szymon

to4kawa · ‎05-05-2020

UPDATE:
use 2 rex

| makeresults 
| eval _raw="new contributors: Set(book.1272473-1, book.1272472-1, book.1272477-1), removed contributors: Set(book.1271398-1, book.1271397-1)" 
| rex "(?<new>.*), removed" 
| rex field=new max_match=0 "(?ms)book.(?<book>\d{7}-\d)"

View solution in original post

to4kawa · ‎05-05-2020

UPDATE:
use 2 rex

| makeresults 
| eval _raw="new contributors: Set(book.1272473-1, book.1272472-1, book.1272477-1), removed contributors: Set(book.1271398-1, book.1271397-1)" 
| rex "(?<new>.*), removed" 
| rex field=new max_match=0 "(?ms)book.(?<book>\d{7}-\d)"

slipinski · ‎05-05-2020

Correct me if I'm wrong, but your query will extract fields after "removed" string and I would like to extract fields before it.

Rex to match fields until particular string

Routing logs with Splunk OTel Collector for Kubernetes

New This Month - Observability Updates Give Extended Visibility and Improve User ...

Intro to Splunk Synthetic Monitoring