Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

field extraction between brackets

indeed_2000
Motivator
‎12-11-2019 01:53 AM

I have log file like this:

A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]

want to extract field of A, B, C.

1-How can I extract content between brackets [] ? as you see in each brackets have (dash or slash ...)
2-How can I extract fields as it could be single part "1020/09/09" or split like this "1020" "09" "09"

Thanks,

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-11-2019 02:26 AM

@mehrdad_2000

You can try this also.

| makeresults 
| eval _raw=" A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]" 
| rex field=_raw "A\[(?<A>[^\]]+)\]\sB\[(?<B>[^\]]+)\]\sC\[(?<C>[^\]]+)\]"

If you want to split values in multivalued or space separated then add below search

| eval A1=split(A,"/"),A2=replace(A,"/"," ")

if you want to get multi values in different fields then use below search

| eval x=mvindex(A1,0), y=mvindex(A1,1), z=mvindex(A1,2)

Thanks

0 Karma
Reply

FrankVl
Ultra Champion
‎12-11-2019 03:56 AM

I'd not suggest using .+, but simply use [^\]]+. For a single event like this, that reduces the number of steps needed to evaluate from 171 to just 21 as it completely removes the need for backtracking.
A\[(?<A>.+)\]\sB\[(?<B>.+)\]\sC\[(?<C>.+)\] https://regex101.com/r/7T5u9C/1
A\[(?<A>[^\]]+)\]\sB\[(?<B>[^\]]+)\]\sC\[(?<C>[^\]]+)\] https://regex101.com/r/AY9qew/1

Have a look at the debugger on how bad .+ behaves: https://regex101.com/r/7T5u9C/1/debugger

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-11-2019 07:41 AM

Cool @FrankVl . Thanks for the regex optimization. You regex improved with many steps. 🙂
I have updated my answer with new one.

Reply

vnravikumar
Champion
‎12-11-2019 02:02 AM

Hi

Check this. if not, please specify your expected results.

| makeresults 
| eval test="A[1020/09/09] B[1013/09/09] C[05-07-00000000-000-A-B-C]" 
| eval temp=split(test," ") 
| rex field=temp "\[(?P<output>.+)\]"
0 Karma
Reply

FrankVl
Ultra Champion
‎12-11-2019 03:57 AM

Same here: don't use .+ if you don't have to. See my other comment for the reason why.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...