regex Field Extraction

es2464 · ‎09-27-2012

Hi, I have a data to be extracted. Below is the example data :

Add Content Menu Sections (confluence.menu.add, Version: 1.0, Installed: bundled)
Admin Sections (confluence.sections.admin, Version: 1.0, Installed: bundled)

I would like to get Add Content Meni Sections and Admin Sections as a field called 'Name', and confluence.menu.add and confluence.sections.admin as 'Package' field as well as 'Version' field.

My current regex is | rex "\\w*\\s*\\((?P<package>[^\\(]+),\\sVersion:\\s(?P<version>[^,]+)" and I only get 4 out of 50 of same formatted lines exist, using this regex.
Anyone has any idea? thanks.

kristian_kolb · ‎09-28-2012

This should work..

... | rex "(?<name>[\w\s]+)\s\((?<package>[^,]+),\sVersion:\s(?<version>[^,]+),"

Hope this helps,

Kristian

es2464 · ‎09-28-2012

they both are matching

Ayn · ‎09-27-2012

Which lines are matching and which are not? Also do you use double backspaces just on this site or in your regex as well? They should be single backspaces only.

regex Field Extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation

regex Field Extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...