- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Regex to capture values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have events like below. I need to extract 4EU56, 4YB2. the number of lines between statictext and Y-EER-RTY would vary.
Sometimes I might not have anything, sometimes they could be 10, and sometimes they could be some other number.
In the example below, I gave 2. So how can I get all of them between, and | for all of them till Y-EER-RTY?
statictext
,4EU56|1|1|456|anotherstatictext
,4YB2|1|1|946|200930||||S_NW|anotherstatictext
Y-EER-RTY
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi xvxt006,
based on the provided example you can use this regex:
base search here | rex max_match=0 "^,(?<myField>[^|]*)" | table myField
This will get everything between all lines starting with , until the next |
Update:
based on the comments below, this is the correct answer
Okay, try this regex it will use shippingResponse= or , which is not followed by a ] as left boundary and the next | as right
(?:shippingResponse=|,)(?!\])(?<myField>[^\|]+)
Works on regex101.com with your provided examples and returns the following matches:
MATCH 1
myField [94-100] `12R071`
MATCH 2
myField [159-165] `12R095`
MATCH 3
myField [224-230] `12R090`
MATCH 4
myField [289-295] `12R078`
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi xvxt006,
based on the provided example you can use this regex:
base search here | rex max_match=0 "^,(?<myField>[^|]*)" | table myField
This will get everything between all lines starting with , until the next |
Update:
based on the comments below, this is the correct answer
Okay, try this regex it will use shippingResponse= or , which is not followed by a ] as left boundary and the next | as right
(?:shippingResponse=|,)(?!\])(?<myField>[^\|]+)
Works on regex101.com with your provided examples and returns the following matches:
MATCH 1
myField [94-100] `12R071`
MATCH 2
myField [159-165] `12R095`
MATCH 3
myField [224-230] `12R090`
MATCH 4
myField [289-295] `12R078`
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. This gives me an idea on how to tackle some other scenarios. Can you make this as Answer. don't have permissions to do that..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
update ping; modified the answer to be correct now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically i am looking for shippingResponse= or , as left boundaries and | as the right boundary. That would give me
12R071,12R095,12R090,12R078
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, try this regex it will use shippingResponse= or , which is not followed by a ] as left boundary and the next | as right
(?:shippingResponse=|,)(?!\])(?<myField>[^\|]+)
Works on regex101.com with your provided examples and returns the following matches:
MATCH 1
myField [94-100] `12R071`
MATCH 2
myField [159-165] `12R095`
MATCH 3
myField [224-230] `12R090`
MATCH 4
myField [289-295] `12R078`
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Michael,
this gives better results but still there is unwanted text. Just trying to understand what you wrote in that expression.
Does this (?!,])[=,] mean that either either "=" or "," cannot not be preceeded by "," or "]"
is there an email i can send you what i am seeing?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MuS, static test i mentioned has "," in it. So that won't work.
Here is more realistic example of the event. I need 12R095,12R090,12R078
|ItemBranch:|FulfillingBranch:|S|Line#:|GenMessage:Y|ShipMode:GR|ShipDate:,] shippingResponse=12R071|1|1|005|20150930||||S_NW|standard.ship.stocked.available
,12R095|1|1|002|20150929||||S_NW|standard.ship.stocked.available
,12R090|1|1|003|20151001||||S_NW|standard.ship.stocked.available
,12R078|1|1|005|20150930||||S_NW|standard.ship.stocked.available
Y-EER-RTY
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this :
base search here | rex max_match=0 "(?!,\])[=,](?<myField>[^|]*)" | table myField
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
