@@splunk_ml I'm trying to extract timestamp from string by using regex but no luck. Ex: 2020-03-27:34R8:34:6537Z Trying to ignore R and Z. Can u pls help me on this

Ideally it should work until you have different indexes and knowledge objects setup in prod. What error you are getting?

Question: 1.Will the length of the random string will be same always? 2. Will the format of the random string will be same? like X.Y.Z...

you can do something like below, | rex "(?api\/abc\/a1bc\/v1\/abcdefghApi\/abcdef\/v1)" | stats count by api_base_url

If your event has fixed format you can use the below regex to extract the data Session\s*Type:\s*(?\w+),\s*Duration:\s*(?.+),\s*Bytes\s*xmt:\s*(?\d+),\s*Byts\s*rcv:\s*(?\d+),\s*Reason:\s*(?\w+)

Hi Rajiv, Yes it will work for a particular field as well. Thats why the "field" parameter. You need to specify the field name there on which you want to perform the rex command.

Hi Bhavya, I will be covering all of the splunk commands for sure. Regarding lookup I already created for kv store and external lookup. Please have a look at my splunk development playlist. Sid

Hi Prasad, By default rex apply the regular expression on _raw field. So field=_raw is optional, however if you need to apply the regex on another field then field= is required.

_raw carries the data indexed (per event) . So if we are extracting anything from a particular field , we can use fieldName but if that's not the case we should use _raw

Yep we can do that using props.conf file...I have a plan to create a new video for that...please stay tuned...

Can you try the below link? www.rexegg.com/regex-quickstart.html

@@splunk_ml thanku sir.

its just use to create a named group. See this video, kzbin.info/www/bejne/rGLLe6SAadmMic0

@@splunk_ml Thank you sir

Hi Ankit, Can you please elaborate your question. Are you trying to extract "Ankit" from that string or want to use that field for some other purpose. An example will be good. Sid

@@splunk_ml so I am trying to fetch data from postgresql using dbConnect app, and there are a few fields which have double quotes within text. For eg: I have a column Column name - DESCRIPTION Value - My name is "Ankit" After importing data into Splunk index, and auto extracting fields the value is shown as: Value - My name is Search query used - index = * | table * How should this be handled so that same search returns the full value? I have narrowed it down to tweaking props.conf file settings but not able to figure this out.

Please have a look at the below link. Its discussed the same issue you are facing. answers.splunk.com/answers/658833/escaping-the-double-quotes-when-ingesting-data.html

It could based on the regex code u have written...

Can you send me an example preferably through email? It will be easier for me to understand your problem.

There is an input called max_match for rex. Can you try with that. I have given an example below. | makeresults | eval sid = "acdcswpinf5800 1 acdcswpinf5801 1 acdcswpinf5802 1 acdcswpinf5803 1 acdcswpinf5804 1" | rex field=sid max_match=20 "(?P(acdcswpinf580\d 1){1,})"

@@splunk_ml it worked !! thanks

May be your regex is not correct. You can test your regex in rex101. Com.