topic Re: Field extraction in Splunk Search

Field extraction

alonKri — Mon, 13 Sep 2021 08:00:40 GMT

Hi Splunk team, I would like to receive your dedicated help.

I have a string field, the field's structure is name_timestamp.

The name contains underscores between words, after the name, there is another underscore. Finally, there is a full date. for example: this_is_an_example_09_13_2021.

My goal is to extract the name from this field. for this example, I would like to receive this_is_an_example.

Is it possible?

Thanks in advance! 😊

Re: Field extraction

ITWhisperer — Mon, 13 Sep 2021 08:12:06 GMT

| rex "(?<words>[a-zA-Z_]+)_\d{2}_\d{2}_\d{4}"

Re: Field extraction

isoutamo — Mon, 13 Sep 2021 08:13:26 GMT

yes it is. You could try this

.... | rex field=name_timestamp max_match=0 "(?<file_name>.*)_\d{1,2}_\d{1,2}_\d{2,4}$"

r. Ismo

Re: Field extraction

alonKri — Mon, 13 Sep 2021 08:31:17 GMT

@ITWhisperer @isoutamo

First of all, Thank you both!

I forgot that in addition to the full date, this field contains the hour and minutes. for example,

this_is_an_example_09_13_2021_03_45.

How should I change the rex command?

Thanks!

Re: Field extraction

ITWhisperer — Mon, 13 Sep 2021 08:37:15 GMT

Since you are not extracting the time (or at least that wasn't the requirement), you will probably find that the current anchor pattern will suffice - if you do need to extend it add _\d{2}_\d{2}

Re: Field extraction

alonKri — Mon, 13 Sep 2021 08:57:58 GMT

Where should I put it?

for example, this is the received output.

Note: The name may contain numbers.

Thanks much!

Re: Field extraction

isoutamo — Mon, 13 Sep 2021 09:13:37 GMT

"(?<test>.*)" basically match everything on this field. When we are adding "_\d{4}_\d{2}_\d{2}_\d{2}_\d{2}$" we are requiring that at the end of this string there are _ + 4 digits + _ + 2 digits ... etc. and everything before that is put on test field. So based on your string just add those _\d{4} and _\d{2} to correct places. And if those days, hours, minutes and seconds can be only in one (1) digit long then use _\d{1,2} to catch also those.

So based on your screenshot you should use e.g.

rex field=test max_match=0 "(?<test>.*)_\d{4}_\d{2}_\d{2}_\d{2}_\d{2}$"

If you are using name test on field and in capture group then you are replacing the content of this field with file name instead of creating a new field for file_name. So if you need the original file name later on then it's better to use something else than test as a capture group name.

r. Ismo

Re: Field extraction

alonKri — Mon, 13 Sep 2021 10:41:07 GMT

Thanks so much! It's working 😊

@ITWhisperer