Splunk Search

i want to match the word "Modify" but it should skip the first match. i want the second match "Modify" till the semi colon delimiter

Builder

Modify:extended value attribut -"to be processed";Action:"will not be processed";Modify:attributs to be processed-"hellow world"; Action:attr"to be new value";

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi premranjithj,
Try something like this

Modify\:.*;Modify\:(?<your_field>[^;]*)

you can test it at https://regex101.com/r/WV13yK/1

Bye.
Giuseppe

View solution in original post

SplunkTrust
SplunkTrust

Hi premranjithj,
Try something like this

Modify\:.*;Modify\:(?<your_field>[^;]*)

you can test it at https://regex101.com/r/WV13yK/1

Bye.
Giuseppe

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!