https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/536179#M151599 <P>Hi, I have a raw log with structure like this:</P><P>&nbsp;</P><LI-CODE lang="markup">TIME|FROM|TO|URL|ERROR|STATUS|ALERT</LI-CODE><P>&nbsp;</P><P>Example:</P><LI-CODE lang="markup">Wed Jan 6 15:10:01 2021|Department A|Department B|www.abc.com|0|Connected|Call Department C</LI-CODE><P>I want to use rex to dissect them to their own fields like TIME, FROM, TO, etc... But the thing is every fields in the log are dynamic, meaning they don't always stay the same. I pretty new to regular expression and splunk so I don't know how to operate this.</P><P>Thank you in advance.</P> Mon, 18 Jan 2021 09:10:35 GMT phamxuantung 2021-01-18T09:10:35Z https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/536179#M151599 <P>Hi, I have a raw log with structure like this:</P><P>&nbsp;</P><LI-CODE lang="markup">TIME|FROM|TO|URL|ERROR|STATUS|ALERT</LI-CODE><P>&nbsp;</P><P>Example:</P><LI-CODE lang="markup">Wed Jan 6 15:10:01 2021|Department A|Department B|www.abc.com|0|Connected|Call Department C</LI-CODE><P>I want to use rex to dissect them to their own fields like TIME, FROM, TO, etc... But the thing is every fields in the log are dynamic, meaning they don't always stay the same. I pretty new to regular expression and splunk so I don't know how to operate this.</P><P>Thank you in advance.</P> Mon, 18 Jan 2021 09:10:35 GMT https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/536179#M151599 phamxuantung 2021-01-18T09:10:35Z https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/536187#M151602 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230393">@phamxuantung</a>,</P><P>let me understand: the problem is that the order of the fields is changing or that some field sometimes is missing?</P><P>is it possible to define some additional rules for the values or the format of the fields (e.g.: STATUS can be only "Connected" or "disconnected"; FROM and TO starts always with "Department"; etc...)?</P><P>If you can define some rules it's possible to read the fields, otherwise it's difficoult.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 18 Jan 2021 10:16:51 GMT https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/536187#M151602 gcusello 2021-01-18T10:16:51Z https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/536213#M151611 <P>It depends what you mean by dynamic. Does this work for you?</P><LI-CODE lang="markup">| rex "(?P&lt;TIME&gt;[^\|]*)\|(?P&lt;FROM&gt;[^\|]*)\|(?P&lt;TO&gt;[^\|]*)\|(?P&lt;URL&gt;[^\|]*)\|(?P&lt;ERROR&gt;[^\|]*)\|(?P&lt;STATUS&gt;[^\|]*)\|(?P&lt;ALERT&gt;.*)"</LI-CODE> Mon, 18 Jan 2021 13:49:32 GMT https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/536213#M151611 ITWhisperer 2021-01-18T13:49:32Z https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/536279#M151623 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>,</P><P>The problem is the values of the field are changing, with varied length, The rule is the order and they separate with |. Detail of each field would be:</P><P>TIME: The time of the events.</P><P>FROM|TO: Name of the Gateway, you can think of them like people name, and they have a set of 10 values or so.</P><P>URL: The URL of the connected service - The only field that have a static start pattern ("http:"), but the content varied from a web address that end with ".com" or an IP address like 192.168.1.1.</P><P>ERROR: Between 0 and 1 whereas 0 is Connected and 1 is Error.</P><P>STATUS: "Connecting to" above URL...connected/error.</P><P>ALERT: always stay the same, "Call IT", but I would like to also take it out in case there might be more in the future.</P> Tue, 19 Jan 2021 02:36:22 GMT https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/536279#M151623 phamxuantung 2021-01-19T02:36:22Z https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/536295#M151631 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230393">@phamxuantung</a>,</P><P>if the order is always the same, it's easy:</P><P>&nbsp;</P><LI-CODE lang="markup">| rex "^(?&lt;TIME&gt;[^\|]+)\|(?&lt;FROM&gt;[^\|]+)\|(?&lt;TO&gt;[^\|]+)\|(?&lt;URL&gt;[^\|]+)\|(?&lt;ERROR&gt;[^\|]+)\|(?&lt;STATUS&gt;[^\|]+)\|(?&lt;ALERT&gt;.+)"</LI-CODE><P>&nbsp;</P><P>You can test the regex at <A href="https://regex101.com/r/6pQnRw/1" target="_blank">https://regex101.com/r/6pQnRw/1</A>.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 19 Jan 2021 07:52:14 GMT https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/536295#M151631 gcusello 2021-01-19T07:52:14Z https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/540357#M152870 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/230393">@phamxuantung</a>,</P><P>good for you.</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated by alla contributors <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 18 Feb 2021 09:21:43 GMT https://community.splunk.com/t5/Splunk-Search/rex-for-dynamic-parttern/m-p/540357#M152870 gcusello 2021-02-18T09:21:43Z