https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520879#M146730 <P>Hi,</P><P>I have below scenario where a sample gym has many customers and their accounts. Some are individual and some are Individual plus co-signer. I need to have below name combinations in data extracted via regex if possible in new fields respectively as shown in below table.&nbsp;</P><P>Where they will be coming as null after extraction, I will just fill them with fillnull or eval. Thanks in-advance!!!</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-09-22_11-18-01.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10933i31A513EDDDAE4364/image-size/large?v=v2&amp;px=999" role="button" title="2020-09-22_11-18-01.png" alt="2020-09-22_11-18-01.png" /></span></P><P>Sample:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10934iFBFB345841A3F995/image-size/large?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P> Tue, 22 Sep 2020 18:53:07 GMT mbasharat 2020-09-22T18:53:07Z https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520879#M146730 <P>Hi,</P><P>I have below scenario where a sample gym has many customers and their accounts. Some are individual and some are Individual plus co-signer. I need to have below name combinations in data extracted via regex if possible in new fields respectively as shown in below table.&nbsp;</P><P>Where they will be coming as null after extraction, I will just fill them with fillnull or eval. Thanks in-advance!!!</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-09-22_11-18-01.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10933i31A513EDDDAE4364/image-size/large?v=v2&amp;px=999" role="button" title="2020-09-22_11-18-01.png" alt="2020-09-22_11-18-01.png" /></span></P><P>Sample:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/10934iFBFB345841A3F995/image-size/large?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P> Tue, 22 Sep 2020 18:53:07 GMT https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520879#M146730 mbasharat 2020-09-22T18:53:07Z https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520892#M146731 <P>What do the source file records actually look like? (Obviously, you should anonymise any real data.)</P> Tue, 22 Sep 2020 16:47:25 GMT https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520892#M146731 ITWhisperer 2020-09-22T16:47:25Z https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520914#M146742 <P>Hi&nbsp;@ ITWhisperer,</P><P>I have updated the question with some mock samples.</P> Tue, 22 Sep 2020 18:53:43 GMT https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520914#M146742 mbasharat 2020-09-22T18:53:43Z https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520920#M146746 <P>How is this data coming into splunk? Are the comma-separated lines? Is it XML? Is it JSON? Can you share the raw data (anonymised)? That is, you share it is a format that rex can be applied to?</P> Tue, 22 Sep 2020 19:31:57 GMT https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520920#M146746 ITWhisperer 2020-09-22T19:31:57Z https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520948#M146754 <P>Hi&nbsp;@ ITWhisperer,</P><P>Data is from flat/txt logfiles.</P><P>Fields are delimited by pipe "|".</P><P>Data is in below format:</P><P><FONT color="#0000FF">2020-09-22 17:46:59,092|INFO|SVCRESP|<STRONG>clientid123</STRONG>|SEE|ABC|ECM|INFO|0000000000|1.1.1.1|123456789|202011|05|2|SUCCESS|TEST|sampleserver.com|default task-7|10|9999999999</FONT></P><P>The highlighted "clientid123" is what I match on using a lookup that contains client account information.</P><P>If client id is <STRONG>clientid123</STRONG> then lookup correlation in search brings in client info as well as associated cosigner/account holder. This client and co-account holder names come in the combination in screenshots in question and I need to break them down/extracted into new fields using rex in a clean format.&nbsp;</P> Wed, 23 Sep 2020 01:19:59 GMT https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520948#M146754 mbasharat 2020-09-23T01:19:59Z https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520972#M146758 <P>OK if I understand correctly</P><LI-CODE lang="markup">-- your search | lookup accountfile clientId</LI-CODE><P>This will add PRIMARY, PRIMARYMIDDLE, PRIMARYLAST,&nbsp; SECONDARYFIRST&nbsp; SECONDARYMIDDLE&nbsp; and SECONDARYLAST fields to your event (from the file). I am assuming the lookup file is correctly formatted for this already or is that the issue?</P><P>Is this what is already happening? What more do you need?</P> Wed, 23 Sep 2020 06:33:35 GMT https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/520972#M146758 ITWhisperer 2020-09-23T06:33:35Z https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/521073#M146802 <P>Hi @ ITWhisperer,</P><P>Th analogy you mentioned for search is correct and thats what I am using BUT The only fields lookup has is clientID, Primary and Secondary names. These names are not broken down into First, Middle and Last for both Primary and Secondary.</P><P>Look has only below:</P><P><STRONG>ClientID, PrimaryName,SecondaryName</STRONG><BR /><BR />That breakdown is what I need for both Primary and Secondary names as shown in the snapshots attached in original question.</P> Wed, 23 Sep 2020 14:21:51 GMT https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/521073#M146802 mbasharat 2020-09-23T14:21:51Z https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/521078#M146804 <P>So you want a regex that will take a name (PrimaryName or SecondaryName) and split it into First, Middle and Last? How do you distinguish between names which have first and middle only and first and last only?</P> Wed, 23 Sep 2020 14:34:53 GMT https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/521078#M146804 ITWhisperer 2020-09-23T14:34:53Z https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/521121#M146815 <P>That's correct. I need&nbsp;<SPAN>regex that will take a name (PrimaryName or SecondaryName) and split it into First, Middle and Last?<BR /><BR />As per question about how to distinguish between names which have first and middle only and first and last only; they are still under Primary/Secondary for each. So as far as Primary and Secondary are broken down, it looks like that all will be broken down fine wouldn't&nbsp;they?&nbsp;&nbsp;</SPAN></P> Wed, 23 Sep 2020 17:32:39 GMT https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/521121#M146815 mbasharat 2020-09-23T17:32:39Z https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/521147#M146822 <P>Given your example data, some people have two last names (and no middle name), some people have two middle names, some people have two first names and a middle name/initial. if you took the name and split it by spaces into its constituent parts, and I guess there could be more than 4 although your examples don't show any, it might be possible to construct a number of options.</P> Wed, 23 Sep 2020 19:48:13 GMT https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/521147#M146822 ITWhisperer 2020-09-23T19:48:13Z https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/521301#M146884 <P>Hi&nbsp;@ ITWhisperer,</P><P>That is exactly what I am dealing with.</P> Thu, 24 Sep 2020 15:06:01 GMT https://community.splunk.com/t5/Splunk-Search/Name-Extraction-needed/m-p/521301#M146884 mbasharat 2020-09-24T15:06:01Z