Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field extraction using regex - removing curly brackets

jaydiare
Explorer
‎05-18-2021 08:52 AM

I wonder if anybody can help me  with a regex to break this field into single lines 

 

CustomResults="{pcap_filter_result {72038003 Ok (0x00000000)}} {pcap_filter_result {1769863 Ok (0x00000000)}} {pcap_filter_result {10879463 Ok (0x00000000)}} {pcap_filter_result {1962188 Ok (0x00000000)}} {pcap_filter_result {69603350 Ok (0x00000000)}} {pcap_filter_result {22006889 Ok 

I am only interested to have : 72055288 Ok (0x00000000) 

is there any way I can see it match line by line with any other field?  like 

field 1 field 2 72055288 Ok (0x00000000) 

field 1 field 2 72055289 Ok (0x00000000) 

field 1 field 2 72055210 Ok (0x00000000) 

this one field has all this data together and looking for the best way to break it

 

thanks so much

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-18-2021 09:18 AM 
| rex max_match=0 "\{pcap_filter_result\s{(?<filter>[^\}]+)\}\}"
| mvexpand filter

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-18-2021 09:18 AM 
| rex max_match=0 "\{pcap_filter_result\s{(?<filter>[^\}]+)\}\}"
| mvexpand filter
Reply
Solved! Jump to solution

jaydiare
Explorer
‎05-18-2021 12:25 PM

thank you this one worked!

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎05-18-2021 09:16 AM

Hi,

There are several ways to achieve this. Assuming I understood your question correctly, the following SPL should do the job:

| makeresults
| eval CustomResults = "{pcap_filter_result {72038003 Ok (0x00000000)}} {pcap_filter_result {1769863 Ok (0x00000000)}} {pcap_filter_result {10879463 Ok (0x00000000)}} {pcap_filter_result {1962188 Ok (0x00000000)}} {pcap_filter_result {69603350 Ok (0x00000000)}}"
| rex field=CustomResults max_match=0 "pcap_filter_result \{(?<fields>\d+ [^\}]+)"
| mvexpand fields
| rex field=fields "(?<field1>\d+) (?<field2>.+?)$"

Example from my lab:

Screenshot 2021-05-18 at 18.15.21.png

Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...

Secure Your Future: Mastering Upgrade Readiness for Splunk 10

Spotlight: The Splunk Health Assistant Add-On  The Splunk Health Assistant Add-On is your ultimate companion ...

Observability Unlocked: Kubernetes & Cloud Monitoring with Splunk IM

Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team on ...