topic Re: Extract backslash separated field to multiple field ? in Knowledge Management

Extract backslash separated field to multiple field ?

Real_captain — Sun, 06 Oct 2024 14:50:28 GMT

HI
Can someone please help me to extract the multiple fields from a single backslash separated field using rex command.

FIELD1 = ABCD/EFGH/IJ/KL/MN/OP/QRST

How to create the multiple fields using the field FIELD1 as below :

Field_1 = ABCD
Field_2 = EFGH
Field_3 = IJ
Field_4 = KL
Field_5 = MN
Field_6 = OP
Field_7 = QRST

How to extract multiple fields from a backslashseperated single field ?

Real_captain — Sun, 06 Oct 2024 15:03:05 GMT

Hi Team
Can someone please help me to extract the backslash separated field into multiple fields ?

Example : Field is present in Splunk as below :

Field = ABCD/EFG6/CR/IN/OU/XY/BMW

I need to use the rex command to extract the able field into 7 fields as below:

Field_1 = ABCD
Field_2 = EFG6
Field_3 = CR
Field_4 = IN
Field_5 = OU
Field_6 = XY
Field_7 = BMW

In case value of the file is below :

Field = ABCD
Then rex command generates the 7 fields as below :

Field_1 = ABCD
Field_2 =
Field_3 =
Field_4 =
Field_5 =
Field_6 =
Field_7 =

Re: How to extract multiple fields from a backslashseperated single field ?

PickleRick — Sun, 06 Oct 2024 15:20:30 GMT

1. Those are slashes, not backslashes

2. Is the number of fields constant? If not, you can't use regex alone to split it into fields.

3. Isn't splitting the string with the eval split() function enough?

Re: Extract backslash separated field to multiple field ?

richgalloway — Sun, 06 Oct 2024 16:11:57 GMT

The fields can be extracted using the rex command or by using the split function (and perhaps others).

| eval FIELDS = split(FIELD1, "/")

| rex field=FIELD1 max_match=0 "(?<FIELDS>[^\/]+)"

Both commands will extract the fields into a multi-value field so iyou'll need to assign them to separate fields.

| foreach 1 2 3 4 5 6 7 [eval FIELD_<<FIELD>>=mvindex(FIELDS,<<FIELD>>-1)]

Re: How to extract multiple fields from a backslashseperated single field ?

inventsekar — Mon, 07 Oct 2024 05:12:06 GMT

Hi @Real_captain
This straight forward method may not work if your data format is changed.

Using the "split" Command will be simple and effective method.

|makeresults | eval FIELD1 = "ABCD/EFGH/IJ/KL/MN/OP/QRST" | rex field=FIELD1 "(?P<Field_1>\w+)\/(?P<Field_2>\w+)\/(?P<Field_3>\w+)\/(?P<Field_4>\w+)\/(?P<Field_5>\w+)\/(?P<Field_6>\w+)\/(?P<Field_7>\w+)" | table FIELD1 Field_1 Field_2 Field_3 Field_4 Field_5 Field_6 Field_7

Re: How to extract multiple fields from a backslashseperated single field ?

inventsekar — Thu, 10 Oct 2024 10:30:50 GMT

Hi @Real_captain May i know if the issue is resolved or not yet, thanks.