Splunk Search

issue in regex

pragycho
Loves-to-Learn

Hi ,

i  want to ignore some comment line and last comment  store value in field.

for example  , I have log where first  3 line field is in commented for Version, Date, Software

#Ver: 1.0
#Date: 2020-04-18 11:10:15
#Software: ABC for Web 11.8.0-414

how to write the regex expression for this where i can store last field value

my regex REGEX = ^\#  but it is dropping all lines with leading hash

how to store  Software value in field but other previous  field  value can drop

Labels (2)
0 Karma

tscroggins
Influencer

@pragycho 

To exclude all lines beginning with # except for #Software in a transform evaluated at index time, try:

^#(?!Software)

To extract the text after #Software: into a field in a transform at search time, try:

^#Software:\s+(?<software>.*)

This is the equivalent rex command:

| rex "^#Software:\s+(?<software>.*)"

I can provide more detailed conf examples if you can provide a little more context around where (index time or search time) you want to discard lines and extract values.

0 Karma

pragycho
Loves-to-Learn

i have Regex in transform.com .

which is good for performance

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...