Splunk Search

rex, Extract information between two slashes and blanks

fklink
New Member

Hi,

i have information like: "DESCRIPTION EMEA:GERMANY:FRANKFURT / client4711 / down"
where DESCRIPTION is a field, already. I would like to rex the information "client4711".
This should be done by rex all information which starts which "/" followed by one "blank" "client4711" one "blank" followed by "/".

Could you anwer my question, please?
Many thanks in advance.
floe.

Tags (1)
0 Karma
1 Solution

gokadroid
Motivator

Try this which will cover all clients, basically everything between blank and blank:

... | rex field=DESCRIPTION "\/\s(?<client>\S+)\s\/" | ...

View solution in original post

0 Karma

gokadroid
Motivator

Try this which will cover all clients, basically everything between blank and blank:

... | rex field=DESCRIPTION "\/\s(?<client>\S+)\s\/" | ...
0 Karma

fklink
New Member

Many thanks. Looks better 🙂

i see some clients, now. Unfortunately, if a client includes one or more "-" splunk doesn't extract the information.

Example:
client4711- works 🙂
client8888 - works 🙂
client-4711 splunk doesn't extract the information
client-47-12-21 splunk doesn't extract the information

Is there a way to tell rex "extract everything between /blank /blank?

Many thanks in advance
floe.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this:

... | rex field=DESCRIPTION "\/\s(?<client>\w+)\s\/" | ...
---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

Here's an update based on your comment.

... | rex field=DESCRIPTION "\/\s(?<client>[^\s]+)\s\/" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

inventsekar
Ultra Champion

check this one..
your search | rex field=_raw "\/\s(?<ClientNumber>\w+\d+)\s\/" | table ClientNumber

alt text

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...