topic Re: Extracting text from fields Question in Splunk Search

Extracting text from fields Question

hredd — Fri, 01 Feb 2019 19:42:08 GMT

How would you create a new field for example, color, by extracting the text from the value to an existing field, for example Message.

Message = The ball is red.

Problem
Want new field : color set to value = red

This is a Field Extraction Question

Re: Extracting text from fields Question

chrisyounger — Fri, 01 Feb 2019 19:58:22 GMT

Hi @hredd

By default fields/value pairs that are seperated by an equals or a full colon will typically be extracted automatically. If they aren't then you can try using | extract like so:

| makeresults | eval _raw="color set to value = red" | extract (this is just an example but substitute the first two sections with your normal search.

Otherwise you can do something like this:

| makeresults | eval _raw="color set to value = red" | rex field=_raw "value\s*=\s*(?<my_new_field>\S+)"

Hope you find this helpful

Re: Extracting text from fields Question

Vijeta — Fri, 01 Feb 2019 20:00:16 GMT

you will have to write a regex for instance your example-

|makeresults| eval x =" Message = The ball is red."
| rex field=x "\w+ = \w+ \w+ \w+ (?<string>\w+)"

Re: Extracting text from fields Question

hredd — Fri, 01 Feb 2019 20:16:45 GMT

So this seems good for testing the regex, I guess I am looking for a more permanent solution.

As in every new search containing the new extracted field.

The example is as so:

Message : blah blah blah. blah blah. the file was approved by 'Microsoft'.

This company name changes and is sometimes not present.

The goal is to make, in this example, newFieldForCompanyName = Microsoft show up in every new search

Re: Extracting text from fields Question

woodcock — Sat, 02 Feb 2019 03:36:07 GMT

Try this:

... | rex "'(?<newFieldForCompanyName>[^']+)'[^']*$"

Re: Extracting text from fields Question

chrisyounger — Sat, 02 Feb 2019 03:44:52 GMT

Hi @hredd

After you run your search, expand an event that has the field in it. Then click the button that displays and select Extract new fields. The wizard will guide you to create a permanent extraction that will run whenever anyone does a search.

All the best. Chris.

Re: Extracting text from fields Question

vinod94 — Mon, 04 Feb 2019 09:05:07 GMT

you can try this,

| makeresults 
| eval _raw="Message=\"The ball is red\"" 
| kv | fields - _raw _time
| rex field=Message "\w+\s\w+\s\w+\s(?P<clr>.+)"