extract content of brackets - Splunk Community

Splunk Search

how can i extract content of first bracket if it is string?

e.g:
2020-04-21 23:59:59,093 INFO xxx.xxx-zz-00000 [process] start[ppp] time[00] tag[xxx]
2020-04-21 23:59:59,093 INFO xxx.xxx-zz-00000 [1234567] start[ppp] time[00] tag[xxx]
....

expected result:
process

have huge log file need to extract process with this conditions
1-content of first bracket
2-it must be string not number!

Thanks,

Hi @mehrdad_2000,

If you just want whatever is between square brackets but ensuring it only contains letters and not numbers, you can do something like:

| rex max_match=1 "^\d{4}\-\d{2}\-\d{2} \d{2}:\d{2}:\d{2}\,\d{3} \w+ [\w\-\.]+ \[(?<myField>[a-zA-Z]+)\]"

For instance, if I use your sample data:

1 KB

As I mentioned this is large log file and need more complete regex to do this.
For example your answer extract only fixed pattern that i mention, but not work on these:

2020-04-21 23:59:59,093 INFO xxxx.xxxxx-zz-00000xxx111 [process] start[ppp] time[00] tag[xxx]
2020-04-21 23:59:59,093 INFO xx.xxx-zz-00000x [report] start[ppp] time[00] tag[xxx]

Expected output:
process
report

Hmm, that's interesting. I have tested both your samples on regex101 and my regex works fine with them. Look:

https://regex101.com/r/cjjSHZ/1

Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members! The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...