- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Trying to extract some value only particular stri...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying to extract some value only particular string but it is also giving the unmatched string based on the path of the string...
I want to extract only this validation string but not () valus which is there in the second event..
[2/26/19 03:22:29:506 CEST] 0000001f monitor O 2019-06-26 14:22:29,506 [newstp - validation - NEW]
[2/26/19 03:28:17:829 CEST] 00000023 monitor O INFO 2019-06-26 14:28:17.829 activity;
Here is the Regex which I'm using :^(?:[^ \n]* ){10}(?P[^ ]+)
Please help me to extract only validation string, not the empty string..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a string that will get you the value of the validation string:
\[newstp\s-\svalidation\s-\s(?P<fld>.+)\]
This just looks for the string "[newstp - validation - and captures the next word before the ],
-or, did you mean it's giving you the () and you always want the bits in between the []'s?
.*\[(?P<fld>.+)\]
This looks for the square brackets and captues what's between them.
I used 'fld' as the field name where you should find the captured bits.
Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a string that will get you the value of the validation string:
\[newstp\s-\svalidation\s-\s(?P<fld>.+)\]
This just looks for the string "[newstp - validation - and captures the next word before the ],
-or, did you mean it's giving you the () and you always want the bits in between the []'s?
.*\[(?P<fld>.+)\]
This looks for the square brackets and captues what's between them.
I used 'fld' as the field name where you should find the captured bits.
Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply.. I'm unable to get the output.. it says "Regex: missing terminating" while testing...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's my search:
source="/tmp/splunk_ingest/*" host="/tmp/splunk_ingest" index="sandbox" sourcetype="rando_file"
| rex field=_raw "\[newstp\s-\svalidation\s-\s(?P<fld>.+)\]"
| rex field=_raw ".*\[(?P<fld2>.+)\]"
| table _time _raw fld fld2
and my results (in CSV):
_time","_raw",fld,fld2
"2019-06-25T21:28:17.829-0400","[2/26/19 03:28:17:829 CEST] 00000023 monitor O INFO 2019-06-26 14:28:17.829 [activity] ();",,activity
"2019-06-25T21:22:29.506-0400","[2/26/19 03:22:29:506 CEST] 0000001f monitor O 2019-06-26 14:22:29,506 [newstp - validation - NEWSTP$46359]","NEWSTP$46359","newstp - validation - NEWSTP$46359"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post your search string?
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Introducing the Splunk Community Dashboard Challenge!
Wondering How to Build Resiliency in the Cloud?
