Solved: How to create a regex to extract fields between tw...

Deepz2612 · ‎06-18-2019

Hi,help me in writing regex to extract field between two hyhpens.

Eg: S-STRA-32
F-FIDR-67

Thanks!

woodcock · ‎06-18-2019

Add this to your search:

... | rex max_match=0 "(?<=-)(?<betweenHyphens>[^-]+)(?=-)"

This captures multiples, even sequentials like when you do this, which the others do not:

|makeresults | eval _raw="foo-bar-bat-boo"
| rex max_match=0 "(?<=-)(?<betweenHyphens>[^-]+)(?=-)"

View solution in original post

woodcock · ‎06-18-2019

Add this to your search:

... | rex max_match=0 "(?<=-)(?<betweenHyphens>[^-]+)(?=-)"

This captures multiples, even sequentials like when you do this, which the others do not:

|makeresults | eval _raw="foo-bar-bat-boo"
| rex max_match=0 "(?<=-)(?<betweenHyphens>[^-]+)(?=-)"

vnravikumar · ‎06-18-2019

Hi

Try this

| makeresults 
| eval str="F-FIDR-67" 
| eval result = mvindex(split(str,"-"),1)

pranay_adla · ‎06-18-2019

   | rex field=<yourfield> "\-(?P<field_name>\w+)\-"

VatsalJagani · ‎06-18-2019

Hello @Deepz2612,

Please try regex: -(?<your_field>.*)-. You will get value between two hyphen in "your_field" field.

This will work but if you have further information about elements on both side of hyphen you can make regex faster. For example I'm assuming we have only one characters on left side of hyphen and some digits on right side of hyphen we can use regex: [a-zA-Z]-(?<your_field>.*)-\d+.

Hope this helps!!!

harsmarvania57 · ‎06-18-2019

Hi,

Please try below regex, it will extract data in new field called extracted_field

<yourBaseSearch>
| rex field=<yourfield> "^[^\-]+\-(?<extracted_field>[^\-]+)\-"

How to create a regex to extract fields between two hyphens?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...