topic Re: Regex multiple values from a string in Splunk Search

Regex multiple values from a string

timyong80 — Tue, 04 May 2021 08:04:50 GMT

Hello,

How can I extract multiple values from a string after each slash? For example below, I would like to extract field1 with the value "Subscription", field2 with the value "83C4EEEF-XXOA-1234" and so on.

/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS

Thank you.

Re: Regex multiple values from a string

ITWhisperer — Tue, 04 May 2021 09:15:42 GMT

You could use split instead of rex

| makeresults | eval _raw="/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS" | eval parts=split(_raw,"/")

You end up with a multi-value field then you can use mvindex to pull out specific parts.

Re: Regex multiple values from a string

timyong80 — Tue, 04 May 2021 09:38:00 GMT

Thanks @ITWhisperer. That looks like a hardcoded entry but the _raw column has unique values in each record. Is there a better way for this?

Re: Regex multiple values from a string

ITWhisperer — Tue, 04 May 2021 09:42:17 GMT

I am not sure I understand - the first two lines just set up sample data and should be replaced by your search. You will then have a multi-value field called parts for each event returned by your search which you can then select the parts you want into different fields with the mvindex command. If that isn't what you want to do, please explain further

Re: Regex multiple values from a string

kamlesh_vaghela — Tue, 04 May 2021 13:55:43 GMT

@timyong80

You can try something like below search. Just go through my sample search and update as per your requirement.

| makeresults | eval _raw="/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS" | eval uq=1 | accum uq | eval parts=split(_raw,"/") | stats count by uq, parts | where parts!="" | eval a=1 | accum a | eval field{a} = parts | fields - a,count, parts | stats values(*) as * by uq

Re: Regex multiple values from a string

timyong80 — Wed, 05 May 2021 01:53:40 GMT

Sorry I misunderstood the first two lines. I've just tried it on my search and it works! I then used mvindex like you suggested to bring out the parts to each new field.

| eval field1=mvindex(parts,0)

Thank you very much sir.

Re: Regex multiple values from a string

timyong80 — Wed, 05 May 2021 01:57:02 GMT

Thank you @kamlesh_vaghela ! I tried the section below but the search did not complete its run. It just keeps searching. But the first 3 lines helped to get what I wanted to achieve after adding mvindex.

| stats count by uq, parts | where parts!="" | eval a=1 | accum a | eval field{a} = parts | fields - a,count, parts | stats values(*) as * by uq

Thank you for your help and suggestion!