https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/82375#M17049 <P>Sorry, I am not sure I know what you are saying. I did put the CSV in as a file input. I thought that the Field Extraction process would create a delimeter? Am I wrong?</P> Fri, 04 Oct 2013 01:52:58 GMT gjohnson 2013-10-04T01:52:58Z https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/82373#M17047 <P>I am trying to extract a field from the following lines but the field extraction does not result in a Field. The sample data is a CSV download from a credit card site:</P> <P>02/14/2013 Thu,,"PIZZA HUT # 023603 0MC LEAN VA ","GEORGE T JOHNSON","XXXX-XXXXXX-82003",,,28.75,,,,,,,<BR /> 02/15/2013 Fri,,"BONSAI GRILL 1234560ARLINGTON VA ","GEORGE T JOHNSON","XXXX-XXXXXX-82003",,,32.21,,,,,,,<BR /> 02/15/2013 Fri,,"EXXONMOBIL MCLEAN VA ","GEORGE T JOHNSON","XXXX-XXXXXX-82003",,,57.28,,,,,,,</P> <P>The field I am looking for has the values of "28.75, 32.21, 57.28" values. I did an automated field extract by copying out the value, putting it in the sample and generating a regex - it successfully identifies the information I want (it is highlighted). I hit save then go back to searching, but the field doesn't extract. </P> <P>I then tried copying the rex pattern that successfully identified the fields in the auto-generator (see the rex below) and I ran it right on the search bar - but it brought back a sparse return (there wasn't a price field for every line like there should be).</P> <P>running this yields inconsistent results <BR /> ... | rex "(?i)^(?:[^\-]*\-){3}\d+\",,,(?P<PRICE>[^,]+)"</PRICE></P> <P>Can anyone help me with the right regex for a field extraction that yields a "price" for every line in the file?</P> Fri, 04 Oct 2013 01:34:18 GMT https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/82373#M17047 gjohnson 2013-10-04T01:34:18Z https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/82374#M17048 <P>Hi gjohnson,<BR /> why you are not putting that csv in inputs.conf, defining a TRANSFORM in props.conf, defining a field DELIM on your transforms.conf and the assign the right field to the different column?</P> <P>ciao</P> Fri, 04 Oct 2013 01:42:13 GMT https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/82374#M17048 bizza 2013-10-04T01:42:13Z https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/82375#M17049 <P>Sorry, I am not sure I know what you are saying. I did put the CSV in as a file input. I thought that the Field Extraction process would create a delimeter? Am I wrong?</P> Fri, 04 Oct 2013 01:52:58 GMT https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/82375#M17049 gjohnson 2013-10-04T01:52:58Z https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/82376#M17050 <P>something like this</P> <P>inputs.conf</P> <P>[monitor:///path/to/file.csv]<BR /> sourcetype = yoursourcetype <BR /> disabled = 0</P> <P>props.conf</P> <P>[sourcetype::yoursourcetype]<BR /> CHECK__FOR _HEADER=TRUE<BR /> SHOULD _LINEMERGE = false<BR /> TRANSFORM-transformfile = transf_csv</P> <P>transforms.conf</P> <P>[transf_csv]<BR /> DELIMS=","<BR /> FIELDS="field1", "field2", "field3", "field4", "fieldN"</P> Mon, 28 Sep 2020 14:53:30 GMT https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/82376#M17050 bizza 2020-09-28T14:53:30Z https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/82377#M17051 <P>Could you please try below rex.</P> <P>"(?i)^(?:[^,]*,){7}(?P<PRICE>[^,]+)"</PRICE></P> Fri, 04 Oct 2013 10:32:06 GMT https://community.splunk.com/t5/Getting-Data-In/Field-Extraction/m-p/82377#M17051 somesoni2 2013-10-04T10:32:06Z