Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex - Extracting a string

jrowland1230
Explorer
‎06-19-2024 11:40 AM

I want to exact a string 'GUID" from the log right after "customers". This regex expression works in https://regex101.com/ but not in Splunk.  My field name is log:

2023-06-19 15:28:01.726 ERROR [communication-service,6e72370er2368b08,6e723709fd368b08] [,,,] 1 --- [container-0-C-1] c.w.r.acc.commservice.sink.ReminderSink : Reminder Message processed, no linked customers aaf60d69-99a9-41f5-a081-032224284066

 

| rex field=log "(?<cids>).*customers\s(.*)"

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

P_vandereerden
Splunk Employee
Splunk Employee
‎06-19-2024 01:01 PM

Did you want cids to contain that GUID?

Try

| rex field=log ".*customers\s(?<cids>.*)"


Alternatively, if the GUID is always at the end, following a space, you can even drop the "customers" part:

| rex field=log "(?<cids>\S+$)"


Your example appears to be creating a capture group named "cids" that captures nothing (the first set of parentheses), and then a second non-capturing group that matches what you want (the second set of parentheses).
This document might help explain in more detail:
https://docs.splunk.com/Documentation/SCS/current/Search/AboutSplunkregularexpressions#Capture_group... 

Paul van der Eerden,
Breaking software for over 20 years.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

P_vandereerden
Splunk Employee
Splunk Employee
‎06-19-2024 01:01 PM

Did you want cids to contain that GUID?

Try

| rex field=log ".*customers\s(?<cids>.*)"


Alternatively, if the GUID is always at the end, following a space, you can even drop the "customers" part:

| rex field=log "(?<cids>\S+$)"


Your example appears to be creating a capture group named "cids" that captures nothing (the first set of parentheses), and then a second non-capturing group that matches what you want (the second set of parentheses).
This document might help explain in more detail:
https://docs.splunk.com/Documentation/SCS/current/Search/AboutSplunkregularexpressions#Capture_group... 

Paul van der Eerden,
Breaking software for over 20 years.
0 Karma
Reply
Solved! Jump to solution

jrowland1230
Explorer
‎06-20-2024 05:21 AM

So to clarify the <cids> is the placeholder for the values produced from the regex AND also the placement is where the actual value would be contained in the string, i.e. Log field?

0 Karma
Reply
Solved! Jump to solution

P_vandereerden
Splunk Employee
Splunk Employee
‎06-20-2024 08:09 AM

Yes. You can name multiple capture groups in one rex statement. 

e.g.

| rex field=my_field "foo:\s+\"(?<first_capture>[^\"]+)\",\s+bar:\s+(?<second_capture>[^\"]+)"
Paul van der Eerden,
Breaking software for over 20 years.
0 Karma
Reply
Solved! Jump to solution

jrowland1230
Explorer
‎06-20-2024 05:19 AM

Thank you. I was close ugh.

Reply
Get Updates on the Splunk Community!

Changes to Splunk Instructor-Led Training Completion Criteria

We’re excited to share an update to our instructor-led training program that enhances the learning experience ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

❄️ Welcome the new year with our January lineup of Community Office Hours, Tech Talks, and Webinars! &#x1f389; ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...