Re: How to edit my regular expression to extract f...

kiran_mh · ‎11-17-2016

Hi,

I have the following expression (?=[^C]*(?:CASE|C.*CASE))^(?:[^:\n]*:){5}\s+\w+(?P.+), which is used to extract fields but I only want fields that contain "CASE" and not "Case" or "case".

Thank you

Regards,
KIran

sundareshr · ‎11-18-2016

If you want to only retrieve events with CASE, use the CASE() function in your base search

index=foo CASE("CASE") | ...

gokadroid · ‎11-17-2016

Assuming you are interested in strings which start with CASE and need to be stored in field1 then you can use following rex. It will work on strings starting with CASE, example CASE abc: 22 and save everything upto a : or a new line \n like CASE abc in field1

your query to return events
| rex field=_raw "(?<field1>(CASE)[^:\n]+)"
| complete your query using field1

If you can post some specific sample logs of what you want to extract then this regex can be refined.

gokadroid · ‎11-18-2016

to get the logs which only contain CASE try this:

index=yourIndex sourcetype=yourSourcetype (CASE)

kiran_mh · ‎11-18-2016

Thank you gokaroid,

We need only the logs that contain "CASE"- all upper case, rest like "Case" should be discarded

Please help with this..

Thanks in advance

How to edit my regular expression to extract fields that contain "CASE" but not "Case" or "case"?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I

Are you a member of the Splunk Community?

How to edit my regular expression to extract fields that contain "CASE" but not "Case" or "case"?

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

Splunk Answers Content Calendar, July Edition I