https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512851#M143856 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129407">@thambisetty</a>&nbsp; tried your solution. It throws error.</P> Thu, 06 Aug 2020 19:22:35 GMT dwibedi03 2020-08-06T19:22:35Z https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512845#M143853 <P>There is a command fields in my logs and consists of unix commands.</P><P>One value is&nbsp;</P><P><SPAN class="t">/usr/bin/ssh</SPAN> <SPAN class="t">-q</SPAN> <SPAN class="t">-o</SPAN> <SPAN class="t">ConnectTimeout=5</SPAN> <SPAN class="t">-o</SPAN> <SPAN class="t">BatchMode=yes</SPAN>&nbsp;z<SPAN class="t">evsbdr66599.prodb.cally.org</SPAN>&nbsp;<SPAN class="t">netstat</SPAN> <SPAN class="t">-rn</SPAN></P><P><SPAN class="t">I am looking to extract&nbsp;netstat -rn.&nbsp;</SPAN></P><P><SPAN class="t">Can someone provide me a way to split ?</SPAN></P><P>&nbsp;</P> Thu, 06 Aug 2020 19:03:42 GMT https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512845#M143853 dwibedi03 2020-08-06T19:03:42Z https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512850#M143855 <P>I am assuming all your commands at end of line.</P><P>&nbsp;</P><P>| rex “(?&lt;command&gt;[\w]+\s[-\w]+)$”</P> Thu, 06 Aug 2020 19:18:49 GMT https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512850#M143855 thambisetty 2020-08-06T19:18:49Z https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512851#M143856 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/129407">@thambisetty</a>&nbsp; tried your solution. It throws error.</P> Thu, 06 Aug 2020 19:22:35 GMT https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512851#M143856 dwibedi03 2020-08-06T19:22:35Z https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512866#M143862 <P>Are you looking to extract the field in a query through spl or are you trying to do a field extraction on ingest of the log data?</P><P>For the first you would add a field extraction in your props.conf file.</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Exampleconfigurationswithprops.conf" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.0.5/Knowledge/Exampleconfigurationswithprops.conf</A></P><P>For the second you would use the rex command as suggested.&nbsp;&nbsp;</P><P><A href="https://docs.splunk.com/Documentation/SCS/current/SearchReference/RexCommandExamples" target="_blank">https://docs.splunk.com/Documentation/SCS/current/SearchReference/RexCommandExamples</A></P><P>The regex you would use depends on how consistant your logs are and if you could define a regex to match all of the logs you are concerned with.&nbsp; Here is an example of what might work if all of your logs had the command at the end of the line:</P><P>| rex field=_raw&nbsp;<SPAN>“(?&lt;command&gt;[\w]+\s[-\w]*)$”</SPAN></P><P><SPAN>The above regex is not perfect.&nbsp; You'll have to account for a command with and without arguments.&nbsp; The above regex isn't perfect if your command doesn't have -xyz arguments.&nbsp;&nbsp;</SPAN></P> Thu, 06 Aug 2020 19:43:27 GMT https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512866#M143862 mfasciano_splun 2020-08-06T19:43:27Z https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512867#M143863 <P>May be because of double quotes using in rex. Remove and input them from your keyboard.&nbsp;<BR /><BR /></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="107B04E0-D2A4-4346-B7D0-4CA369641F71.png" style="width: 1125px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10092iA1889182C7888F86/image-size/medium?v=v2&amp;px=400" role="button" title="107B04E0-D2A4-4346-B7D0-4CA369641F71.png" alt="107B04E0-D2A4-4346-B7D0-4CA369641F71.png" /></span></P><P> </P> Thu, 06 Aug 2020 19:48:02 GMT https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512867#M143863 thambisetty 2020-08-06T19:48:02Z https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512869#M143864 <P>Thanks for your reply. I will check it out.</P> Thu, 06 Aug 2020 19:45:22 GMT https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512869#M143864 dwibedi03 2020-08-06T19:45:22Z https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512870#M143865 <P>Yes, i got to make it work. However it is not accounting for all the commands. I will&nbsp; improvise. Thanks.</P> Thu, 06 Aug 2020 19:46:12 GMT https://community.splunk.com/t5/Splunk-Search/Split-unix-commands/m-p/512870#M143865 dwibedi03 2020-08-06T19:46:12Z