topic Re: Split square bracket expression in Splunk Search

Split square bracket expression: How to separate out below fields in table format?

drogo — Mon, 28 Aug 2023 18:56:18 GMT

Hi,

I want to separate out below fields in table format.

Raw = Namespace [com.sampple.ne.vas.events], ServiceName [flp-eg-cg], Version [0.0.1], isActive [true], AppliationType [EVENT]

Query I am using =
| eval Namespace=mvindex(split(mvindex(split(_raw, "Namespace "),1),"],"),1)
| eval ServiceName=mvindex(split(mvindex(split(_raw,"ServiceName "),1),"],"),0)
| eval Version=mvindex(split(mvindex(split(_raw,"Version "),1),"],"),0)
| stats latest(Namespace) as Namespace latest(ServiceName) as ServiceName latest(Version) as Version by host
| sort -Version

Expected result

Host	AppName	ServiceName	Version

Re: Split square bracket expression

richgalloway — Mon, 28 Aug 2023 13:49:09 GMT

It would help to know what results your query returned and why those results aren't good enough.

I prefer the rex command for extracting fields. The regular expressions below look for the given keyword then extract what's between the following square brackets.

| rex "Namespace \[(?<Namespace>[^\]]+)" | rex "ServiceName \[(?<ServiceName>[^\]]+)" | rex "Version \[(?<Version>[^\]]+)" | stats latest(Namespace) as Namespace latest(ServiceName) as ServiceName latest(Version) as Version by host | sort -Version

Re: Split square bracket expression

ITWhisperer — Mon, 28 Aug 2023 13:53:37 GMT

| rex max_match=0 "(?<keyvalue>\w+\s\[[^\]]+)" | mvexpand keyvalue | rex field=keyvalue "(?<key>\w+)\s\[(?<value>[^\]]+)" | eval {key}=value | fields - keyvalue key value | stats values(*) as * by _raw

Re: Split square bracket expression

drogo — Mon, 28 Aug 2023 14:31:38 GMT

Thanks @ITWhisperer

Re: Split square bracket expression

drogo — Mon, 28 Aug 2023 14:32:38 GMT

@hanks @richgalloway this help