topic Re: How to properly extract fields using regex in Splunk Search

How to properly extract fields using regex

cmak — Mon, 25 Mar 2013 17:06:35 GMT

I have a following field in my data

cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "

This means that I have 3 types of cells in this particular event (cell names are dynamic).
How can I split this up so that it is like :

cells : "aN20%title", cells : "basic%ipin", cells : "basic%opin"

so that a command such as

stats count by cells

will produce the following list (can be used to populate dropdowns):

aN20%title
basic%ipin
basic%opin

I also would like to filter my cells, for example:

cells="aN20%title" OR cells="basic%ipin"

This would return all events that have either aN20%title or basic%ipin showing up in the cells field

The "=X" ("=1" in "aN20%title=1") is the number of instances that this type of cell appears.
I would need to be able to add this column with stats sum by cells command.

For example:

if I had 2 events

cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "
cells : "< aN20%title=2| basic%ipin=2> "

and I wanted to see the sum of the cells, I would receive

aN20%title : 3
basic%ipin : 9
basic%opin : 1

Thus, what is the best way to split this "cells" field up so that I can perform such commands.

Re: How to properly extract fields using regex

jonuwz — Mon, 25 Mar 2013 17:52:19 GMT

Given that your initial field is called celldata and contains :

cells : "< aN20%title=1| basic%ipin=7| basic%opin=1> "

This will split out the data into individual events you can massage with stats :

... | rex max_match=100 field=celldata "(?<key>[\S]+=\d+)" 
| table _time key <other interesting fields here> 
| mvexpand key
| rex field=key "(?<key>[^=]+)=(?<val>.*)"

optionally :

| stats sum(val) by key

Re: How to properly extract fields using regex

cmak — Mon, 25 Mar 2013 18:02:35 GMT

This is amazing, thanks :).
Just to let anyone who reads this know,
it should be field=cells instead of celldata (just to eliminate any confusion)