Splunk Search

How to create regex that will pick up on a value contained in [ ] brackets?

Splunky21
Explorer

Hi all,

I'm attempting to develop a regex that will pick up on a value contained in [ ] brackets (see below):

Log value

year number time:time:time 00 AAA0 Blah Blah Blah Blah Blah: [X] to [Y] (4 possible variables X,Y,A,B)

 

I need to alert every time the * to [ bracketed value] changes. Trying to make a regex to pick out these bracketed values. Any help is appreciated!

 

Labels (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try this command to extract both values within brackets.

| rex "\[(?<bracket1>[^\]]+)\] to \[(?<bracket2>[^\]]+)"

It looks for the first bracket, extracts everything up to the second into field 'bracket1', then it looks for a closing bracket followed by " to " and a third bracket.  Everything up to the fourth bracket is put into field 'bracket2'.

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Try this command to extract both values within brackets.

| rex "\[(?<bracket1>[^\]]+)\] to \[(?<bracket2>[^\]]+)"

It looks for the first bracket, extracts everything up to the second into field 'bracket1', then it looks for a closing bracket followed by " to " and a third bracket.  Everything up to the fourth bracket is put into field 'bracket2'.

 

---
If this reply helps you, Karma would be appreciated.

Splunky21
Explorer

That worked perfectly, thanks! 🙂 

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...