topic Re: Unable to extract fields through regular expression and combining them into a single field in Splunk Search

Unable to extract fields through regular expression and combining them into a single field

luv — Mon, 28 Sep 2020 15:18:29 GMT

2013-07-09-23.57.30 [SHU1_SCG1_20130913_UJDD]
2013-07-09-23.57.45 [UBH2_SCDXC1_20130913_FDS]
2013-07-09-23.57.56 [HS3_FDR1_20130924_DJUWS]
2013-07-09-23.57.57 [GFD3_FIE1_20130927_AOIS]
2013-07-09-23.58.00 [SHU1_DBXCF1_20130929_KIDD]
2013-07-09-23.58.30 [(null)]
2013-07-09-23.59.12 [(null)]
2013-07-09-23.59.30 [LIFDSDSD1_DFFDFDF1_20131004_IWD]
2013-07-09-23.59.56 [SDJER4_IUEHG1_20131009_SKIW]
2013-08-09-02.58.30 [(null)]
2013-08-09-04.18.40 [OEIFN3_SZXV1_20131013_APOS]
2013-08-09-04.32.50 [OWPOPF2_VJGGG1_20131022_SIWD]

Their arrangement is like [Field1_Feild2_Feild3_Field4] and sometimes the whole event is (null)
Is there any way from which i can extract all the fields(field1,field2,field3,field4) through a single regex and also the null value(null) if it occurs?
Also after extracting all these fields i want to combine them into a single field(Field5) and wanna show them like "Field5=Field1_Field2_Field3_Field4" or just "Field5=(null)" if that's the case

Any advice?

Thanks 🙂

Re: Unable to extract fields through regular expression and combining them into a single field

somesoni2 — Mon, 18 Nov 2013 18:44:31 GMT

You can use below to extract individual fields and then evaluate combined field.

<base search>| rex field=body "(?i)\[(?P<field1>.*)_(?P<field2>.*)_(?P<field3>.*)_(?P<field4>.*)\]" | eval field5=COALESCE(field1."_".field2."_".field3."_".field4,"(null)")

Update:

To include field5 with values whatever is available.

 <base search>| rex field=_raw "(?i)\[(?P<field1>.*)_(?P<field2>.*)_(?P<field3>.*)_(?P<field4>.*)\]" | rex field=_raw "(?i)\[(?P<field5>.*)\]"

Re: Unable to extract fields through regular expression and combining them into a single field

luv — Mon, 18 Nov 2013 19:28:54 GMT

Thanks that worked in my case 🙂
But i was just wondering what's that (?P) for?
And suppose if that my log has "(null)" "none" "void" etc then?
I thought to capture this also in a field with a regex, you know like an optional field? but it didn't really work. your suggestion did infact helped in my case but what if it was not the case and i had "(null)","none","void" not just "(null)" then?

Re: Unable to extract fields through regular expression and combining them into a single field

somesoni2 — Mon, 18 Nov 2013 20:15:01 GMT

(?P) is for python friendly regular expression (nothing python specific here), I'm used to write my regex like that.

I updated the answer to capture field5 as it is, so we don't have to do concatenation of fields and in case fields not available, it'll take whatever is available.