Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

regex field extraction

ialahdal
Path Finder
‎12-11-2019 08:50 PM

I have an event that is in an HTML tag format, I'd like to extract data within it in a specific manner, as follows:
<TAG1>Splunking</TAG1>

I was trying to extract the data by matching group1 "TAG1" to group2 "/TAG1" and extracting what's in between into a filed named the same as group1, is this possible??

The best I was able to achieve was this <([a-zA-Z][a-zA-Z0-9]*)\b[^>]*>(.*?)<\/\1>
But that doesn't work in nested tags, I also don't know how to assign a filed to a group based on a previous one in splunk.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

poete
Builder
‎12-11-2019 11:26 PM

Hello @ialahdal,

I think you should use spath in this case (https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/Spath).

Please find below an example of use, with 2 levels of fields in the xml.

| makeresults 
| eval somefield="<level1><someFieldLevel1>someValueLevel1</someFieldLevel1><level2><someFieldLevel2>someValueLevel2</someFieldLevel2></level2></level1>"
| spath input=somefield

View solution in original post

Reply
Solved! Jump to solution
Solution

poete
Builder
‎12-11-2019 11:26 PM

Hello @ialahdal,

I think you should use spath in this case (https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/Spath).

Please find below an example of use, with 2 levels of fields in the xml.

| makeresults 
| eval somefield="<level1><someFieldLevel1>someValueLevel1</someFieldLevel1><level2><someFieldLevel2>someValueLevel2</someFieldLevel2></level2></level1>"
| spath input=somefield
Reply
Solved! Jump to solution

ialahdal
Path Finder
‎01-14-2020 02:36 AM

This helped, thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...