Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

field extraction between brackets

indeed_2000
Motivator
‎12-11-2019 01:53 AM

I have log file like this:

A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]

want to extract field of A, B, C.

1-How can I extract content between brackets [] ? as you see in each brackets have (dash or slash ...)
2-How can I extract fields as it could be single part "1020/09/09" or split like this "1020" "09" "09"

Thanks,

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-11-2019 02:26 AM

@mehrdad_2000

You can try this also.

| makeresults 
| eval _raw=" A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]" 
| rex field=_raw "A\[(?<A>[^\]]+)\]\sB\[(?<B>[^\]]+)\]\sC\[(?<C>[^\]]+)\]"

If you want to split values in multivalued or space separated then add below search

| eval A1=split(A,"/"),A2=replace(A,"/"," ")

if you want to get multi values in different fields then use below search

| eval x=mvindex(A1,0), y=mvindex(A1,1), z=mvindex(A1,2)

Thanks

0 Karma
Reply

FrankVl
Ultra Champion
‎12-11-2019 03:56 AM

I'd not suggest using .+, but simply use [^\]]+. For a single event like this, that reduces the number of steps needed to evaluate from 171 to just 21 as it completely removes the need for backtracking.
A\[(?<A>.+)\]\sB\[(?<B>.+)\]\sC\[(?<C>.+)\] https://regex101.com/r/7T5u9C/1
A\[(?<A>[^\]]+)\]\sB\[(?<B>[^\]]+)\]\sC\[(?<C>[^\]]+)\] https://regex101.com/r/AY9qew/1

Have a look at the debugger on how bad .+ behaves: https://regex101.com/r/7T5u9C/1/debugger

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-11-2019 07:41 AM

Cool @FrankVl . Thanks for the regex optimization. You regex improved with many steps. 🙂
I have updated my answer with new one.

Reply

vnravikumar
Champion
‎12-11-2019 02:02 AM

Hi

Check this. if not, please specify your expected results.

| makeresults 
| eval test="A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]" 
| eval temp=split(test," ") 
| rex field=temp "\[(?P<output>.+)\]"
0 Karma
Reply

FrankVl
Ultra Champion
‎12-11-2019 03:57 AM

Same here: don't use .+ if you don't have to. See my other comment for the reason why.

0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top