Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create Splunk Regex to search for a field after n occurrences of comma?

atulitm
Path Finder
‎02-21-2018 03:57 AM

I have been trying to create Splunk rex but it doesn't work for some reason and would need help in finding any word or string after n number of commas like

LOG:
12/11/2018, abc, def, ced, xyz

I would like to get variable stored which is after 3 commas which is ced in above case something like :

index= | rex ",{3}(?\w+) | table test
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎02-21-2018 04:35 AM

Your own attempt comes close, but you of course also need to include the strings before / in between those 3 commas in the regex for it to match.

So:

index= | rex "(?:[^,]*,\s*){3}(?<test>\w+)" | table test

Which defines a non capturing group consisting of some arbitrary number of non-comma characters, followed by a comma and possible whitespace. And that group is repeated 3 times. After that, the actual capturing group to capture the string you need.
https://regex101.com/r/AUhB3o/1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎02-21-2018 04:35 AM

Your own attempt comes close, but you of course also need to include the strings before / in between those 3 commas in the regex for it to match.

So:

index= | rex "(?:[^,]*,\s*){3}(?<test>\w+)" | table test

Which defines a non capturing group consisting of some arbitrary number of non-comma characters, followed by a comma and possible whitespace. And that group is repeated 3 times. After that, the actual capturing group to capture the string you need.
https://regex101.com/r/AUhB3o/1

0 Karma
Reply
Solved! Jump to solution

atulitm
Path Finder
‎02-21-2018 04:56 AM

Thanks that helps .. I have tried a lot but may be its simple for you . i would like capture anything after 3rd comma and before 4th because this query helps in getting after 3rd but string after that is having gaps so it doesnt save whole string .

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎02-21-2018 05:02 AM

Just replace the \w with [^,] and perhaps you need to do something about not capturing the whitespace before the 4th comma. So try this:

index= | rex "(?:[^,]*,\s*){3}(?<test>[^,]+)\s+," | table test

https://regex101.com/r/AUhB3o/2

0 Karma
Reply
Solved! Jump to solution

atulitm
Path Finder
‎02-21-2018 05:14 AM

Thanks for help frank . I need to improve myself on regex .

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎02-21-2018 05:19 AM

You're welcome 🙂

And yes, that is a very valuable skill to develop as a Splunk user/admin 🙂

0 Karma
Reply
Solved! Jump to solution

ctaf
Contributor
‎02-21-2018 04:32 AM

Hi,

You can do this:

| rex (\s,\s\w+){2}\s,\s(?<fieldname>[^\s]+)

Put {n-1} for n commas. Here it is {2} for 3 commas.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-21-2018 04:04 AM

try this:

index=indexname|rex ".*,(?<test>\w+)"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...