Solved: Re: regex address

CyberWolf · ‎12-06-2024

im trying to capture address, city and state that are in one line but they have ", : and ,
i would like to excluede (Quotes Coma and Colon)
see test example below

12345 noth test Avenue","city":"test","state":"test",

gcusello · ‎12-06-2024

Hi @CyberWolf ,

please try:

<your_search>
| rex "^\"address\":\"(?<address>[^\"]+)\",\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"
| eval address=address." City ".city." state ".state

Ciao.

Giuseppe

View solution in original post

CyberWolf · ‎12-06-2024

thanks but i think i wasn't clear what im trying to do is that all that to be in one field called (?<address>) not separated with city and state

gcusello · ‎12-06-2024

Hi @CyberWolf ,

let me understand, you want only one field, called address containing city and state, is it correct?

in this case, please try this:

<your_search>
| rex ".*\"city\"\:\"(?<city>[^\"]+)\"\,\"state\"\:"(?<test>[^\"]+)"
| eval address=state." ".city

Ciao.

Giuseppe

dural_yyz · ‎12-06-2024

Creating the regex would be easy enough but it looks like your data is already coming in JSON or XML format. Is there a chance that the fields are already extracted as "city" and "state"? If not then I would recommend revisiting the ingestion props as a best practice. Rather than creating a lot of regex at search time if you had that field extraction during indexing then any changes to data would auto extract new fields.

.*\"city\"\:\"(?<city>[^\"]+)\"\,\"state\"\:"(?<test>[^\"]+)

CyberWolf · ‎12-06-2024

correct it comes in json and i dont have control of it, but im trying to have is address city and state to be all in the field and ignore coma quotes and :

gcusello · ‎12-06-2024

Hi @CyberWolf ,

if the logs you have, you can use a regex like the following:

| rex "^[^,]+,\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"

that you can test at https://regex101.com/r/ZafgnI/1

I'd be more detailed if you can share a complete log, not onl a part of it.

Ciao.

Giuseppe

CyberWolf · ‎12-06-2024

example from the raw logs:
"address":"1234 Nothing 2C Avenue","city":"something","state":"RD"

would like to have field name Address
Address
1234 Nothing 2C Avenue City something state RD

all that in one field so ignore the " , and :

What i have
index=something
| rex field=_raw "address\"\:\"(?<address>.*?)\"\,\"
which shows field name:
address
1234 Nothing 2C Avenue","city":"something","state":"RD"

gcusello · ‎12-06-2024

Hi @CyberWolf ,

please try:

<your_search>
| rex "^\"address\":\"(?<address>[^\"]+)\",\"city\":\"(?<city>[^\"]+)\",\"state\":\"(?<state>[^\"]+)"
| eval address=address." City ".city." state ".state

Ciao.

Giuseppe

CyberWolf · ‎12-06-2024

Thank you all it worked! (Grazie mile!) YEAHHH

richgalloway · ‎12-06-2024

Are you trying to capture the data in a single field or multiple fields? Is this to be done at index time or search time?

---
If this reply helps you, Karma would be appreciated.

CyberWolf · ‎12-06-2024

all in a single field so i can used later to dc (distinguish count)

regex address

regex

Video | Welcome Back to Smartness, Pedro

Detector Best Practices: Static Thresholds

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...