Solved: field extraction using regex - removing curly brac...

jaydiare · ‎05-18-2021

I wonder if anybody can help me with a regex to break this field into single lines

CustomResults="{pcap_filter_result {72038003 Ok (0x00000000)}} {pcap_filter_result {1769863 Ok (0x00000000)}} {pcap_filter_result {10879463 Ok (0x00000000)}} {pcap_filter_result {1962188 Ok (0x00000000)}} {pcap_filter_result {69603350 Ok (0x00000000)}} {pcap_filter_result {22006889 Ok

I am only interested to have : 72055288 Ok (0x00000000)

is there any way I can see it match line by line with any other field? like

field 1 field 2 72055288 Ok (0x00000000)

field 1 field 2 72055289 Ok (0x00000000)

field 1 field 2 72055210 Ok (0x00000000)

this one field has all this data together and looking for the best way to break it

thanks so much

ITWhisperer · ‎05-18-2021

| rex max_match=0 "\{pcap_filter_result\s{(?<filter>[^\}]+)\}\}"
| mvexpand filter

View solution in original post

ITWhisperer · ‎05-18-2021

| rex max_match=0 "\{pcap_filter_result\s{(?<filter>[^\}]+)\}\}"
| mvexpand filter

jaydiare · ‎05-18-2021

thank you this one worked!

javiergn · ‎05-18-2021

Hi,

There are several ways to achieve this. Assuming I understood your question correctly, the following SPL should do the job:

| makeresults
| eval CustomResults = "{pcap_filter_result {72038003 Ok (0x00000000)}} {pcap_filter_result {1769863 Ok (0x00000000)}} {pcap_filter_result {10879463 Ok (0x00000000)}} {pcap_filter_result {1962188 Ok (0x00000000)}} {pcap_filter_result {69603350 Ok (0x00000000)}}"
| rex field=CustomResults max_match=0 "pcap_filter_result \{(?<fields>\d+ [^\}]+)"
| mvexpand fields
| rex field=fields "(?<field1>\d+) (?<field2>.+?)$"

Example from my lab:

field extraction using regex - removing curly brackets

field extraction

regex

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services