topic how to extract a field where there are different values, but which has not determined a value. in Splunk Search

how to extract a field where there are different values, but which has not determined a value.

jfeitosa_real — Wed, 30 Sep 2020 04:59:04 GMT

Hello everyone!

how to extract a field where there are different values, but which has not determined a value.
I need to extract the values from the "Domain" field excluding the "Corp" and "Corp - West" values, but show me the rest.

Domain = "Corp - West \ **OfficeABC \ Server *"*
Domain = "Corp \ **OfficeXYZ \ Workstations *"*
Domain = "Default *"*

Ex. Log:

2020-04-06 18:54:30.000,
_time="2020-04-06 18:54:30.0", ComputarName="XYZ001", Usuer="userx",
Domain="Corp\OfficeXYZ\Workstations\",
IP="54.110.130.34"

2020-04-06 18:59:10.000,
_time="2020-04-06 18:59:10.0", ComputarName="XYZ101", Usuer="usera",
Domain="Corp -
West\OfficeABC\Servers\",
IP="38.230.86.56"

2020-04-06 19:09:30.000,
_time="2020-04-06 19:09:30.0", ComputarName="XYZ201", Usuer="userb",
Domain="Default\", IP="179.28.186.78"

Thanks in advance.

James._/\_

Re: how to extract a field where there are different values, but which has not determined a value.

manjunathmeti — Thu, 09 Apr 2020 18:25:11 GMT

If domain field is extracted in index then try this,

index=INDEXNAME | rex field=Domain "\"(Corp\s-\s\w+|Corp)?(?<domain>[\w\\\]+)\"" | fields Domain, domain

else,

index=INDEXNAME | rex "Domain=\"(Corp\s-\s\w+|Corp)?(?<domain>[\w\\\]+)\"" | table _raw, domain

Re: how to extract a field where there are different values, but which has not determined a value.

jfeitosa_real — Thu, 09 Apr 2020 22:04:26 GMT

I found the solution and I want to share it with you.

Domain=\"(?:(?:Corp - West|Corp))?(?DomainNew>.*?)\"

Worked perfectly.

Thanks.

James\0/