my logs in splunk like:

[ A=xaxxxxx ] [ B=weea case ] [ C=another example 0 ]

How can I get only the string in square bracket after "="

like so: xaxxxxx ; weea case ; another example 0

my rex is: rex field=_raw "(?<New_Field>\[\sC=(.*?)\s\])"

it extract all, include square bracket [...].

CodePudding user response：

In Splunk, only named capturing groups must be used to extract data into fields. So, the numbered capturing group in your regex does not do anything meaningful for Splunk. You need to use New_Field group around the pattern part you need to extract.

Also, you only matched C, you can match any uppercase letter with [A-Z], or if there are more than one, [A-Z] .

You can use

\[\s*[A-Z] =\s*(?<New_Field>.*?)\s*]

See the regex demo. Details:

• \[ - a [ char
• \s* - zero or more whitespaces
• [A-Z] - zero or more uppercase ASCII letters
• = - a = char
• \s* - zero or more whitespaces
• (?<New_Field>.*?) - Group "New_Field": any zero or more chars other than line break chars as few as possible
• \s* - zero or more whitespaces
• ] - a ] char.

CodePudding user response：

You can move what you don't want to capture outside of the group:

\[\sC=(?<New_Field>[^\][]*)\s]

The pattern matches:

• \[\sC= match [ whitespace char and =
• (?<New_Field> Named group New_Field
• [^\][]* To stay between the square brackets, you can use a negated character class
• ) Close group
• \s\] Match a whitespace char and ]

See a regex demo.

To match A, B or C you can use a character class:

\[\s[A-Z]=(?<New_Field>[^\][]*)\s]

See another regex demo.