Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

field extraction between brackets

indeed_2000
Motivator
‎12-11-2019 01:53 AM

I have log file like this:

A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]

want to extract field of A, B, C.

1-How can I extract content between brackets [] ? as you see in each brackets have (dash or slash ...)
2-How can I extract fields as it could be single part "1020/09/09" or split like this "1020" "09" "09"

Thanks,

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-11-2019 02:26 AM

@mehrdad_2000

You can try this also.

| makeresults 
| eval _raw=" A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]" 
| rex field=_raw "A\[(?<A>[^\]]+)\]\sB\[(?<B>[^\]]+)\]\sC\[(?<C>[^\]]+)\]"

If you want to split values in multivalued or space separated then add below search

| eval A1=split(A,"/"),A2=replace(A,"/"," ")

if you want to get multi values in different fields then use below search

| eval x=mvindex(A1,0), y=mvindex(A1,1), z=mvindex(A1,2)

Thanks

0 Karma
Reply

FrankVl
Ultra Champion
‎12-11-2019 03:56 AM

I'd not suggest using .+, but simply use [^\]]+. For a single event like this, that reduces the number of steps needed to evaluate from 171 to just 21 as it completely removes the need for backtracking.
A\[(?<A>.+)\]\sB\[(?<B>.+)\]\sC\[(?<C>.+)\] https://regex101.com/r/7T5u9C/1
A\[(?<A>[^\]]+)\]\sB\[(?<B>[^\]]+)\]\sC\[(?<C>[^\]]+)\] https://regex101.com/r/AY9qew/1

Have a look at the debugger on how bad .+ behaves: https://regex101.com/r/7T5u9C/1/debugger

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-11-2019 07:41 AM

Cool @FrankVl . Thanks for the regex optimization. You regex improved with many steps. 🙂
I have updated my answer with new one.

Reply

vnravikumar
Champion
‎12-11-2019 02:02 AM

Hi

Check this. if not, please specify your expected results.

| makeresults 
| eval test="A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]" 
| eval temp=split(test," ") 
| rex field=temp "\[(?P<output>.+)\]"
0 Karma
Reply

FrankVl
Ultra Champion
‎12-11-2019 03:57 AM

Same here: don't use .+ if you don't have to. See my other comment for the reason why.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...