Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

need help with regex field extraction between square brackets

Steve_A200
Path Finder
‎07-26-2023 01:50 PM

I am still trying to get my head around regular expressions in splunk, and would like to use regex that could parse the _raw data to create an extracted field with the contents that are between the square brackets:

_raw example data looks like this:

2023-07-26 15:11:16.932 [ engine1] [Error-1] INFO java.Exception: example text
2023-07-26 15:11:16.932 [ core2] [Thread-5] WARN java.Exception: example text 2
2023-07-26 15:11:16.932 [ main3] [Token-2] INFO java.Exception: example text 3
2023-07-26 15:11:16.932 [ Job4] [Thread-1] WARN java.Exception: example text 4

I need to extract field that is based on the data between the first square brackets.
If I need another field that is based on teh second square brackets.

So, I would like the results to look like like below:

Field_1         Field_2
engine1       Error-1
core2           Thread-5
main3          Token-2
Job4             Thread-1

Any feedback and help would greatly appreciated.

Thanks

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cklunck
Path Finder
‎07-26-2023 02:23 PM

Something like this should work.

<your search>
| rex field=_raw " \[(?<Field_1>.+?)\] \[(?<Field_2>.+?)\] "

 

You might have to adjust some of the spaces and other characters to match your events. The brief description of the regex above is:

  • Look in the raw event field
  • Find a space character followed by a left square bracket
  • Start capturing a value and name it "Field_1"
  • Find any set of characters - this will be what ends up in "Field_1"
  • Stop when you find a right square bracket
  • Then there should be a space followed by another left square bracket
  • Start capturing a value and name it "Field_2"
  • Find any set of characters - this will be what ends up in "Field_2"
  • Stop when you find a right square bracket followed by a space

Documentation for rex has some good examples.

Hope that helps!

View solution in original post

Reply
Solved! Jump to solution
Solution

cklunck
Path Finder
‎07-26-2023 02:23 PM

Something like this should work.

<your search>
| rex field=_raw " \[(?<Field_1>.+?)\] \[(?<Field_2>.+?)\] "

 

You might have to adjust some of the spaces and other characters to match your events. The brief description of the regex above is:

  • Look in the raw event field
  • Find a space character followed by a left square bracket
  • Start capturing a value and name it "Field_1"
  • Find any set of characters - this will be what ends up in "Field_1"
  • Stop when you find a right square bracket
  • Then there should be a space followed by another left square bracket
  • Start capturing a value and name it "Field_2"
  • Find any set of characters - this will be what ends up in "Field_2"
  • Stop when you find a right square bracket followed by a space

Documentation for rex has some good examples.

Hope that helps!

Reply
Solved! Jump to solution

Steve_A200
Path Finder
‎07-27-2023 11:40 AM

Thank you for the reply, the solutions provided worked great, exactly what I needed.

Much appreciated.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-26-2023 02:07 PM 
"\[(?<field_1>[^\]]+)\]\[(?<field_2>[^\]]+)\]"
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top