Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

field extraction between brackets

indeed_2000
Motivator
‎12-11-2019 01:53 AM

I have log file like this:

A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]

want to extract field of A, B, C.

1-How can I extract content between brackets [] ? as you see in each brackets have (dash or slash ...)
2-How can I extract fields as it could be single part "1020/09/09" or split like this "1020" "09" "09"

Thanks,

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-11-2019 02:26 AM

@mehrdad_2000

You can try this also.

| makeresults 
| eval _raw=" A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]" 
| rex field=_raw "A\[(?<A>[^\]]+)\]\sB\[(?<B>[^\]]+)\]\sC\[(?<C>[^\]]+)\]"

If you want to split values in multivalued or space separated then add below search

| eval A1=split(A,"/"),A2=replace(A,"/"," ")

if you want to get multi values in different fields then use below search

| eval x=mvindex(A1,0), y=mvindex(A1,1), z=mvindex(A1,2)

Thanks

0 Karma
Reply

FrankVl
Ultra Champion
‎12-11-2019 03:56 AM

I'd not suggest using .+, but simply use [^\]]+. For a single event like this, that reduces the number of steps needed to evaluate from 171 to just 21 as it completely removes the need for backtracking.
A\[(?<A>.+)\]\sB\[(?<B>.+)\]\sC\[(?<C>.+)\] https://regex101.com/r/7T5u9C/1
A\[(?<A>[^\]]+)\]\sB\[(?<B>[^\]]+)\]\sC\[(?<C>[^\]]+)\] https://regex101.com/r/AY9qew/1

Have a look at the debugger on how bad .+ behaves: https://regex101.com/r/7T5u9C/1/debugger

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-11-2019 07:41 AM

Cool @FrankVl . Thanks for the regex optimization. You regex improved with many steps. 🙂
I have updated my answer with new one.

Reply

vnravikumar
Champion
‎12-11-2019 02:02 AM

Hi

Check this. if not, please specify your expected results.

| makeresults 
| eval test="A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]" 
| eval temp=split(test," ") 
| rex field=temp "\[(?P<output>.+)\]"
0 Karma
Reply

FrankVl
Ultra Champion
‎12-11-2019 03:57 AM

Same here: don't use .+ if you don't have to. See my other comment for the reason why.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...