Solved: Rex formatting trouble

MikeB · ‎10-06-2021

Hello again Spelunkers!

So I have data that looks like this:

assessment=normal [1.0]
assessment=normal [1.1]
assessment=suspect [0.75]
assessment=suspect [0.88]
assessment=bad [0.467]

I want a table column named rating that takes the "normal," "suspect," "bad" without the [###] after it. So I wrote the below thinking I can name the column rating and then capture any alpha characters and terminate at the white space between the word value and the [###] value. What would be the correct way of writing this? Thank you in advance!

| rex field=raw_ "assessment=(?<rating>/\w/\s)"

danielcj · ‎10-06-2021

Hi,

Please, try the following:

| rex field=_raw "assessment=(?<rating>\S+)"

View solution in original post

danielcj · ‎10-06-2021

Hi,

Please, try the following:

| rex field=_raw "assessment=(?<rating>\S+)"

MikeB · ‎10-07-2021

Thank you! This worked perfectly.

Rex formatting trouble

rex

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES

Are you a member of the Splunk Community?

Rex formatting trouble

rex

What the End of Support for Splunk Add-on Builder Means for You

Solve, Learn, Repeat: New Puzzle Channel Now Live

Building Reliable Asset and Identity Frameworks in Splunk ES