topic Extracting names from fields in Splunk Search

Extracting names from fields

Rgk_Trail — Thu, 24 Sep 2020 02:32:30 GMT

Hi,

I am trying to extract name of the individuals from the field that I have in the data. For example from the data below, I want to extract Jack Smith and Joe Shmoe.

Any suggestions on how I can do this ?

Some Text
Some Text
24-Jul-2020 10:52:41 - Jack Smith (Approval history)
Jack Smith approved INT128302 for group **CAB - DEV Tech
Some Text
Some Text
22-Jul-2020 12:56:37 - Joe Shmoe (Approval history)
Joe Shmoe approved INT128302 for group **Dev - DBA Tech group
Some Text
Some Text

Thanks !

Rohan

Re: Extracting names from fields

ITWhisperer — Thu, 24 Sep 2020 07:21:17 GMT

--- your search | rex "-\s+(?<name>[^\(]+)" | eval name=trim(name)

Re: Extracting names from fields

Rgk_Trail — Thu, 24 Sep 2020 14:17:28 GMT

Would this work if names(Jack Smith) and groups(**CAB - DEV Tech) change ?

Actually, I was not very clear in my initial question. So I want to extract name of the person and the group from that field.

So format will remain the same but names and groups will change. Any idea if I can extract based on matching string and then extract text based on spaces in between ? cause format will remain the same in my data.

Thanks ,

Rohan

Re: Extracting names from fields

ITWhisperer — Thu, 24 Sep 2020 14:47:02 GMT

Are these all separate events or does every event start with a timestamp but can be multi-line?

Does the group name always start with **?

Does every line with name and group always have "approved" and "for group" in?

Re: Extracting names from fields

Rgk_Trail — Thu, 24 Sep 2020 16:24:03 GMT

Are these all separate events or does every event start with a timestamp but can be multi-line?

Every event starts with timestamp, and its multi-line. for every event name and group is buried between some other information that is not relevant for the task.

Does the group name always start with **?

Ya. Always

Does every line with name and group always have "approved" and "for group" in?

Yes. Always. It may have "rejected" as well but I want to extract only one with "approved"

Re: Extracting names from fields

ITWhisperer — Thu, 24 Sep 2020 16:31:25 GMT

-- your search

| rex "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"

Re: Extracting names from fields

Rgk_Trail — Fri, 25 Sep 2020 14:48:23 GMT

I am trying this command but it doesnt return any results, am i using it wrong ?

|inputlookup change_task_xx| rex "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"|table change_request name group

Output that I am getting:

change_requests name group

name and group information exists in the field(approval) in the lookup .

- Rohan K.

Re: Extracting names from fields

s2_splunk — Fri, 25 Sep 2020 15:17:35 GMT

Try this:

|inputlookup change_task_xx| rex field=approval "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"|table change_request name group

Re: Extracting names from fields

ITWhisperer — Fri, 25 Sep 2020 15:23:08 GMT

Does your table include the multi-line events as single events or have they been split across multiple events?

Re: Extracting names from fields

Rgk_Trail — Fri, 25 Sep 2020 17:27:07 GMT

attached data from lookup.

its multiline as single event. Its tied to unique field (change_request) in dataset. So goal is to extract change_request and name, group from approval for that change request.

Re: Extracting names from fields

Rgk_Trail — Sun, 27 Sep 2020 00:07:22 GMT

Thanks a lot !