regex Field Extraction

es2464 · ‎09-27-2012

Hi, I have a data to be extracted. Below is the example data :

Add Content Menu Sections (confluence.menu.add, Version: 1.0, Installed: bundled)
Admin Sections (confluence.sections.admin, Version: 1.0, Installed: bundled)

I would like to get Add Content Meni Sections and Admin Sections as a field called 'Name', and confluence.menu.add and confluence.sections.admin as 'Package' field as well as 'Version' field.

My current regex is | rex "\\w*\\s*\\((?P<package>[^\\(]+),\\sVersion:\\s(?P<version>[^,]+)" and I only get 4 out of 50 of same formatted lines exist, using this regex.
Anyone has any idea? thanks.

kristian_kolb · ‎09-28-2012

This should work..

... | rex "(?<name>[\w\s]+)\s\((?<package>[^,]+),\sVersion:\s(?<version>[^,]+),"

Hope this helps,

Kristian

es2464 · ‎09-28-2012

they both are matching

Ayn · ‎09-27-2012

Which lines are matching and which are not? Also do you use double backspaces just on this site or in your regex as well? They should be single backspaces only.

regex Field Extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation

regex Field Extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience