topic Re: How to combine two field extractions into 1 with regex? in Splunk Search

How to combine two field extractions into 1 with regex?

kamal_jagga — Tue, 22 Dec 2015 22:09:14 GMT

I read in the best practices that if possible, combine two field extractions in to 1. This will improve the efficiency of the system.

But when I tried implementing it, it's not giving satisfactory results for all scenarios.

eg. When the 1st field is blank or space, it's not extracting the 2nd field consistently.

Has anyone else also faced this issue?

Thanks

Re: How to combine two field extractions into 1 with regex?

ppablo — Tue, 22 Dec 2015 22:26:06 GMT

Hi @kamal_jagga

I think it'll be best if you include sample data and the regular expression(s) you've tried already for other users to best help you here.

Re: How to combine two field extractions into 1 with regex?

kamal_jagga — Tue, 22 Dec 2015 22:51:28 GMT

Following are my 2 Field extractions:

100_cricket : EXTRACT-runs_1     ^.{23}.{23}35.{121}(?P<runs_1>.{1})
100_cricket : EXTRACT-runs_2     ^.{23}.{23}35.{123}(?P<runs_2>.{1})

I would like to combine them to improve efficiency.

100_cricket : EXTRACT-runs_1,runs_2      ^.{23}.{23}35.{123}(?P<runs_1>.{1})?(?P<runs_2>.{1})

But this regex doesn't work if 1st field is blank or junk values.

Kindly advise.

Re: How to combine two field extractions into 1 with regex?

Murali2888 — Wed, 23 Dec 2015 00:11:52 GMT

i faced the same issue when combining multiple field extractions under one rex. Though i had a work around to split them into multiple rex, I would like to understand if this is a limitation

Re: How to combine two field extractions into 1 with regex?

gcato — Wed, 23 Dec 2015 21:23:10 GMT

The regular expression syntax can get a bit complicated when extracting multiple fields under one rex, but it does work. I suggest using a tool like regex101.com to test with your regular expressions to get it right. I find that they usually happily transfer into Splunk once you've got the syntax right.

Here's a run anywhere splunk example that extracts multiple fields using one rex. Note the nesting of fields extractions.

|stats count as foo |eval foo = " la de dah de da" |rex field=foo "^(?: *)(?P<all>(?P<first>[^\s]+) de (?P<middle>[^\s]+) de (?P<last>.+).*)$"

I suggest going to regex101 (or some other regex tool) and playing around. Here's a link to the example above: https://regex101.com/r/iU2zD0/1

Hope this helps.

Re: How to combine two field extractions into 1 with regex?

jkat54 — Wed, 23 Dec 2015 21:53:19 GMT

Hey, do it like this and let me know if this is what you like:

extract-aaa = ((?<field1Name>[field1NameRegex])(?<field2Name>[field2NameRegex]))

So if this was my data:

timestamp - datafield1 and datafield2

I might use this:

extract-aaa = (?<field1>(?<=timestamp - ).*(?= and )(?<field2>.*)

Re: How to combine two field extractions into 1 with regex?

jkat54 — Wed, 23 Dec 2015 21:57:30 GMT

my regex doesnt work with my data sample by the way but i'm thinking you might get the point if you know regex well enough.