Solved: Re: using regex for field extraction

dylanhess · ‎12-07-2021

I am trying to extract the action=* from this field, in this event its add. I've trying extracting through how you would typically extract fields but it doesn't want to capture all the different possible events, action=delete, action=replace etc.

UPDATE#011class=DATASET#011prof=IMSVS.*#011vol=P1CP02#011dsn=IMSVS.BETALIBA#011member=PYNMU49#011box=HTC-95-000000033771-0094#011action=ADD#011sum=PJXCPAI6

So I resorted to trying to manually write my own regex (?<=action=).*(?=#) but I cant seem to get the rex command to work or manually add my regex to the filed extraction

rex field=intent (?<=action=).*(?=#)

I get this error message when using the rex command above.

Error in 'rex' command: The regex '(?<=action=).*(?=#)' does not extract anything. It should specify at least one named group. Format: (?<name>...).

ITWhisperer · ‎12-07-2021

rex field=intent "action=(?<action>[^#]*)#"

View solution in original post

ITWhisperer · ‎12-07-2021

rex field=intent "action=(?<action>[^#]*)#"

dylanhess · ‎12-07-2021

Thank you so much!

using regex for field extraction

field extraction

fields

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation