Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

field extraction between brackets

indeed_2000
Motivator
‎12-11-2019 01:53 AM

I have log file like this:

A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]

want to extract field of A, B, C.

1-How can I extract content between brackets [] ? as you see in each brackets have (dash or slash ...)
2-How can I extract fields as it could be single part "1020/09/09" or split like this "1020" "09" "09"

Thanks,

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-11-2019 02:26 AM

@mehrdad_2000

You can try this also.

| makeresults 
| eval _raw=" A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]" 
| rex field=_raw "A\[(?<A>[^\]]+)\]\sB\[(?<B>[^\]]+)\]\sC\[(?<C>[^\]]+)\]"

If you want to split values in multivalued or space separated then add below search

| eval A1=split(A,"/"),A2=replace(A,"/"," ")

if you want to get multi values in different fields then use below search

| eval x=mvindex(A1,0), y=mvindex(A1,1), z=mvindex(A1,2)

Thanks

0 Karma
Reply

FrankVl
Ultra Champion
‎12-11-2019 03:56 AM

I'd not suggest using .+, but simply use [^\]]+. For a single event like this, that reduces the number of steps needed to evaluate from 171 to just 21 as it completely removes the need for backtracking.
A\[(?<A>.+)\]\sB\[(?<B>.+)\]\sC\[(?<C>.+)\] https://regex101.com/r/7T5u9C/1
A\[(?<A>[^\]]+)\]\sB\[(?<B>[^\]]+)\]\sC\[(?<C>[^\]]+)\] https://regex101.com/r/AY9qew/1

Have a look at the debugger on how bad .+ behaves: https://regex101.com/r/7T5u9C/1/debugger

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-11-2019 07:41 AM

Cool @FrankVl . Thanks for the regex optimization. You regex improved with many steps. 🙂
I have updated my answer with new one.

Reply

vnravikumar
Champion
‎12-11-2019 02:02 AM

Hi

Check this. if not, please specify your expected results.

| makeresults 
| eval test="A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]" 
| eval temp=split(test," ") 
| rex field=temp "\[(?P<output>.+)\]"
0 Karma
Reply

FrankVl
Ultra Champion
‎12-11-2019 03:57 AM

Same here: don't use .+ if you don't have to. See my other comment for the reason why.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...