Search comma surrounded phrase in _raw using rex

sai_shreyashi_p · ‎09-08-2019

In the logged data:

....,en,us,....(one record)
....,en,in,.....(another record)
(Here .... represents string data)

I need to extract 'us' and 'in' from _raw from each log.
rex field = _raw "(?:us?[^,]+)"

This is erroneous but it will be great if someone can help out.

richgalloway · ‎09-09-2019

This may help.

... | rex "en,(?<country>\w+)"

---
If this reply helps you, Karma would be appreciated.

sai_shreyashi_p · ‎09-10-2019

actually in the data it isn't necessary for the country to be preceded by 'en' which is why I was facing issues.
Is there any way to look for strings like ",us," or ",jp,"? Regex or rex expression for looking in _raw?

richgalloway · ‎09-10-2019

If the sample data above is accurate then this should work:

... | rex ",(?<lang>\w+),(?<country>\w+)"

---
If this reply helps you, Karma would be appreciated.

harsmarvania57 · ‎09-09-2019

Hi,

If you provide full sample raw data then community member will able to help on regex side.

sai_shreyashi_p · ‎09-10-2019

Sorry for the vague description of data but actually this data cannot be exposed.
They are mainly comma separated values in the middle of which we have language code,country code.
They are somewhere in the middle of _raw.
Ex: 324724588,nhiden-niuen-jkjl,en,us,6484-47934......,...

Search comma surrounded phrase in _raw using rex

Unleash Unified Security and Observability with Splunk Cloud Platform

Enterprise Security Content Update (ESCU) | New Releases

Join the Splunk Developer Program Hackathon: Splunk Build-a-thon!