I am trying to capture subject from following string but excluding \r\n from the matched result using regex. The string:

Sep 20 02:00:00 127.0.0.1 TestHost: Info: MID 123456 Subject "[Notification] - System 1234 [hostname] -\r\n SERVICE_STARTED (INFO)"

The Expected output should be(Excluding \r\n)

[Notification] - System 1234 [hostname] - SERVICE_STARTED (INFO)

I tried with following regex in regex101

Subject [\'\"]?(?<subject>((?:\\r\\n)?.*))[\'\"]?$

But it does not yield me the correct result.

CodePudding user response：

Please note that I don;t have an option to use replace/sub since I have to do this splunk.

Splunk most certainly has ways of replacing values in strings - either by using rex in sed mode, or by using eval replace()

This regular expression will pull what you're looking for:

| rex field=_raw "\"(?<subject>[^\"] )"

Follow it by replacing the \r\n:

| eval subject=replace(subject,"[\r\n] ","")

If that replace does not work for you (sometimes those hidden characters show up as sequential whitespace instead), do this:

| eval subject=replace(subject,"\s\s "," ")

CodePudding user response：

Try this :

const str = 'Sep 20 02:00:00 127.0.0.1 TestHost: Info: MID 123456 Subject "[Notification] - System 1234 [hostname] -\r\n SERVICE_STARTED (INFO)"';

console.log(str.match(/[^(\'\")]*.*[(\'\")$]/g)[1].replace(/[\r\n\'\"]/g, ''));

RegEx explanation :

[^(\'\")] : matches string start with either single quote or double quote.

*.* : matches any number of character after the start

[(\'\")$] : Used to match the single or double quotes at the end.

As above regex will match the two substrings from the given string, We will fetch the second one and then do the replace for \r\n by using String.replace() method.