Solved: How to create regex that will pick up on a value c...

Splunky21 · ‎11-16-2022

Hi all,

I'm attempting to develop a regex that will pick up on a value contained in [ ] brackets (see below):

Log value

year number time:time:time 00 AAA0 Blah Blah Blah Blah Blah: [X] to [Y] (4 possible variables X,Y,A,B)

I need to alert every time the * to [ bracketed value] changes. Trying to make a regex to pick out these bracketed values. Any help is appreciated!

richgalloway · ‎11-16-2022

Try this command to extract both values within brackets.

| rex "\[(?<bracket1>[^\]]+)\] to \[(?<bracket2>[^\]]+)"

It looks for the first bracket, extracts everything up to the second into field 'bracket1', then it looks for a closing bracket followed by " to " and a third bracket. Everything up to the fourth bracket is put into field 'bracket2'.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎11-16-2022

Try this command to extract both values within brackets.

| rex "\[(?<bracket1>[^\]]+)\] to \[(?<bracket2>[^\]]+)"

It looks for the first bracket, extracts everything up to the second into field 'bracket1', then it looks for a closing bracket followed by " to " and a third bracket. Everything up to the fourth bracket is put into field 'bracket2'.

---
If this reply helps you, Karma would be appreciated.

Splunky21 · ‎11-16-2022

That worked perfectly, thanks! 🙂

How to create regex that will pick up on a value contained in [ ] brackets?

lookup

regex

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?