Hopufully a quick one but I'm looking to search and extract anything between two these fields
The extraction is simple:
| rex "<title>(?<title_text>.*)</title>"
The searching part I'll leave as an exercise...
Well it's not going to do much good within a subsearch. You need to add it to your main search.
I took it out to see if it made a difference... it would look like so at the very end ... | table task_id owner_text title_text
It may be the join that's messing you up. Try it without the subsearch:
index=myindex sourcetype=my-app host=04 OR host=050 Status_type="ERROR" NOT "The remote server returned an error: (401) Unauthorized." | rex "(?<title_text>.) " | rex "(?.) " | rename id AS "Asset" | table "Asset" task_id owner_text title_text
So where's the | table
command that you reportedly were using?
sorry, that pipe should of been included in the post.
Not sure if a where would be better, I'm new to splunk 🙂
Not sure if the forum mangled your syntax, but you're missing a pipe character between OR "
index=myindex sourcetype=my-app host=04* OR host=050 Status_type="ERROR" NOT "The remote server returned an error: (401) Unauthorized." | join type=left task_id [search iindex=myindex sourcetype=my-app host=04* OR host=050 "<title>" OR "<owner>" rex "<title>(?<title_text>.*)</title>" | rex "<owner>(?<owner_text>.*)</owner>" | rename id AS "Asset" | fields "Asset" task_id owner_text title_text]
As both cphair and me have tried these suggestions ourselves with the expected results I think it would be a good idea for you to paste a sample event. With the rex and table commands at the end, you really should be seeing only what's between the title opening and closing tags.
Correct, I'm using rex not sure what you mean by field=
I tried dwaddle's solution on my data and it worked fine. You are piping to rex, and not regex as you say in your title and first comment, correct? No newlines in your data? Does it make a difference if you specify field=
Yes, and in the table I get the entire line...
Mytitle
And you applied the table command I wrote at the end of your search?
No, there's only one set of title tags but its all contained within one long line that has other tags.
Do you have multiple <title>
tags for some weird reason? In that case, you will want to make the regex match non-greedy:
| rex "<title>(?<title_text>.*?)</title>"
its still giving me the entire line and not just whats between the
| table title_text
Great Thanks, but I seem to be returning a huge line as theres a bunch of tags such as