topic Re: New Field From a Current Field Up to a Certain Character (In a Search) in Splunk Search

New Field From a Current Field Up to a Certain Character (In a Search)

aferone — Tue, 26 Nov 2013 15:08:39 GMT

I have a field named FieldA. It looks like this:

10.10.10.10->10.11.11.11

I want to create a new field (FieldB) that is everything left of the "->". I tried using LTRIM, among others, but I can't get it working. This "seems" easy. 🙂

Help?

Thank you!

Re: New Field From a Current Field Up to a Certain Character (In a Search)

lukejadamec — Tue, 26 Nov 2013 15:20:04 GMT

Can you post the _raw event that contains the data?
In the mean time, have you tried
rex ".*->(?<newfield>\d+\.\d+\.\d+\.\d+)\D.*"

Is the new field always an IP?

Re: New Field From a Current Field Up to a Certain Character (In a Search)

kristian_kolb — Tue, 26 Nov 2013 15:20:26 GMT

 ... | rex field=fieldA "^(?<fieldB>[\d.]+)"

should do it...

Re: New Field From a Current Field Up to a Certain Character (In a Search)

aferone — Tue, 26 Nov 2013 15:28:21 GMT

Hmmm. I tried this, but I'm not getting data back in the new field.

Re: New Field From a Current Field Up to a Certain Character (In a Search)

gfuente — Tue, 26 Nov 2013 15:32:34 GMT

Is there a typo in the field name? The first F of the field name is uppercase?

... | rex field=FieldA "^(?[\d.]+)"

Re: New Field From a Current Field Up to a Certain Character (In a Search)

aholzer — Tue, 26 Nov 2013 15:34:20 GMT

Combine Kristian and Luke's answers:

... | rex field=fieldA "^(?\d+\.\d+\.\d+\.\d+)"

This should do it. Luke's answer was getting the right side of your fieldA, while Kristian's answer wasn't properly accounting for the periods in the IP.

Re: New Field From a Current Field Up to a Certain Character (In a Search)

aferone — Tue, 26 Nov 2013 15:34:41 GMT

Nope, no typos.

How does the rex work with this? How does it know to stop at the dash in the original string?

Re: New Field From a Current Field Up to a Certain Character (In a Search)

aferone — Tue, 26 Nov 2013 15:36:59 GMT

OK, I removed my top and table commands, and the rex is working just fine. I need to see how to format this data now. Thank you very much!!

Re: New Field From a Current Field Up to a Certain Character (In a Search)

aferone — Tue, 26 Nov 2013 15:37:25 GMT

How, can you explain exactly how this work? My RegEx is terrible. Thanks again!

Re: New Field From a Current Field Up to a Certain Character (In a Search)

aelliott — Tue, 26 Nov 2013 15:47:33 GMT

http://www.splunk.com/web_assets/pdfs/secure/Splunk_Quick_Reference_Guide.pdf may help.. I'm not that good myself and am not quite sure how it excludes the -> myself but you could include the -> at the very end if you wanted.

Re: New Field From a Current Field Up to a Certain Character (In a Search)

lukejadamec — Tue, 26 Nov 2013 15:52:43 GMT

Kristian's capture group includes only digits and dots, so when it gets to the -> it stops, and the ? grabs the first set that matches the group.

I forgot which way left was.

Re: New Field From a Current Field Up to a Certain Character (In a Search)

aelliott — Tue, 26 Nov 2013 16:11:05 GMT

so if it weren't always numbers and dots then
rex field=FieldA "^(?.*)->" would work.. after all.. it could be an IPv6

Re: New Field From a Current Field Up to a Certain Character (In a Search)

aferone — Tue, 26 Nov 2013 16:19:25 GMT

Good stuff here, everyone. Thanks again!

Re: New Field From a Current Field Up to a Certain Character (In a Search)

kristian_kolb — Tue, 26 Nov 2013 16:20:05 GMT

Sorry, I could have explained more clearly;

From the start of the string - ^ - start capturing - ( - a field called fieldb - ? - that consists of one or more digits and dots - [\d.]+ - and then stop the capture - )

Re: New Field From a Current Field Up to a Certain Character (In a Search)

aferone — Tue, 26 Nov 2013 16:44:00 GMT

Thanks, Kristian!