topic Re: Regex issue in Splunk Search

Regex issue

cbiraris — Tue, 06 Aug 2024 10:46:46 GMT

Hi Team

i am trying to make below field regex which is coming in every single event. but its not allowing me to use same field name for 2 same type of entry as they coming in same single event.

for example:

{ "class1": { "student1": "123 rollnumber" }, "class2": { "student1": "123 rollno", "student2": "321 rollno" } }

1)class1 and class2 should be under Class field
if i search for class1 i should only find student 1 and related info.
and
if i search for class3 i should only find student 1 and related info.

they will be in the field like class, student, number, and type of number

Class field	class1	class2
student name	student1	student1
number	123	123	321
type of number	rollnumber	rollno	rollno

Re: Regex issue

gcusello — Tue, 06 Aug 2024 11:45:56 GMT

Hi @cbiraris ,

you should create your report with the last two fields in one and then separate them using a regex, something like this:

<your_search> | rename Class.student_name AS student_name Class.number AS number | rex field=number "^(?<number>\d+)\s(?<type_of_number>.*)" | table student_name number type_of_number

Ciao.

Giuseppe

Re: Regex issue

cbiraris — Tue, 06 Aug 2024 12:11:57 GMT

can you give me example ?

Re: Regex issue

gcusello — Tue, 06 Aug 2024 12:22:21 GMT

Hi @cbiraris ,

which kind of example? isn't the search I shared ok?

Ciao.

Giuseppe