Splunk Search

rex, Extract information between two slashes and blanks

fklink
New Member

Hi,

i have information like: "DESCRIPTION EMEA:GERMANY:FRANKFURT / client4711 / down"
where DESCRIPTION is a field, already. I would like to rex the information "client4711".
This should be done by rex all information which starts which "/" followed by one "blank" "client4711" one "blank" followed by "/".

Could you anwer my question, please?
Many thanks in advance.
floe.

Tags (1)
0 Karma
1 Solution

gokadroid
Motivator

Try this which will cover all clients, basically everything between blank and blank:

... | rex field=DESCRIPTION "\/\s(?<client>\S+)\s\/" | ...

View solution in original post

0 Karma

gokadroid
Motivator

Try this which will cover all clients, basically everything between blank and blank:

... | rex field=DESCRIPTION "\/\s(?<client>\S+)\s\/" | ...
0 Karma

fklink
New Member

Many thanks. Looks better :slightly_smiling_face:

i see some clients, now. Unfortunately, if a client includes one or more "-" splunk doesn't extract the information.

Example:
client4711- works :slightly_smiling_face:
client8888 - works :slightly_smiling_face:
client-4711 splunk doesn't extract the information
client-47-12-21 splunk doesn't extract the information

Is there a way to tell rex "extract everything between /blank /blank?

Many thanks in advance
floe.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this:

... | rex field=DESCRIPTION "\/\s(?<client>\w+)\s\/" | ...
---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

Here's an update based on your comment.

... | rex field=DESCRIPTION "\/\s(?<client>[^\s]+)\s\/" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

inventsekar
SplunkTrust
SplunkTrust

check this one..
your search | rex field=_raw "\/\s(?<ClientNumber>\w+\d+)\s\/" | table ClientNumber

alt text

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...