Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- need help with regex field extraction between squa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am still trying to get my head around regular expressions in splunk, and would like to use regex that could parse the _raw data to create an extracted field with the contents that are between the square brackets:
_raw example data looks like this:
2023-07-26 15:11:16.932 [ engine1] [Error-1] INFO java.Exception: example text
2023-07-26 15:11:16.932 [ core2] [Thread-5] WARN java.Exception: example text 2
2023-07-26 15:11:16.932 [ main3] [Token-2] INFO java.Exception: example text 3
2023-07-26 15:11:16.932 [ Job4] [Thread-1] WARN java.Exception: example text 4
I need to extract field that is based on the data between the first square brackets.
If I need another field that is based on teh second square brackets.
So, I would like the results to look like like below:
Field_1 Field_2
engine1 Error-1
core2 Thread-5
main3 Token-2
Job4 Thread-1
Any feedback and help would greatly appreciated.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this should work.
<your search>
| rex field=_raw " \[(?<Field_1>.+?)\] \[(?<Field_2>.+?)\] "
You might have to adjust some of the spaces and other characters to match your events. The brief description of the regex above is:
- Look in the raw event field
- Find a space character followed by a left square bracket
- Start capturing a value and name it "Field_1"
- Find any set of characters - this will be what ends up in "Field_1"
- Stop when you find a right square bracket
- Then there should be a space followed by another left square bracket
- Start capturing a value and name it "Field_2"
- Find any set of characters - this will be what ends up in "Field_2"
- Stop when you find a right square bracket followed by a space
Documentation for rex has some good examples.
Hope that helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this should work.
<your search>
| rex field=_raw " \[(?<Field_1>.+?)\] \[(?<Field_2>.+?)\] "
You might have to adjust some of the spaces and other characters to match your events. The brief description of the regex above is:
- Look in the raw event field
- Find a space character followed by a left square bracket
- Start capturing a value and name it "Field_1"
- Find any set of characters - this will be what ends up in "Field_1"
- Stop when you find a right square bracket
- Then there should be a space followed by another left square bracket
- Start capturing a value and name it "Field_2"
- Find any set of characters - this will be what ends up in "Field_2"
- Stop when you find a right square bracket followed by a space
Documentation for rex has some good examples.
Hope that helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the reply, the solutions provided worked great, exactly what I needed.
Much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"\[(?<field_1>[^\]]+)\]\[(?<field_2>[^\]]+)\]"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
