topic Re: rex to extract field from csv in Splunk Search

rex to extract field from csv

surekhasplunk — Thu, 05 Apr 2018 09:59:46 GMT

Hi,

I want to extract below fields
First 5 fields are automatically extracted by splunk witihout any issues. But last 2 fields since they are starting with # symbol didnt get extracted correctly. How can i extract them ?
EmpNo,EmpName,EmpTitle,Region,Country,# completed,#not completed

12345,"Razal,Rafi",Lead Service Specialist,UK,United Kingdom,0,1

My file contnt looks like above line. I surrounded them with double quotes thinking that it will be easy for extraction since i have comma in Name field along with comma as delimiter to look like below.

"12345",""Razal,Rafi"","Lead Service Specialist","UK","United Kingdom","0","1"

Please help me with rex for field extraction. to extract last two fields.

Re: rex to extract field from csv

splunker12er — Thu, 05 Apr 2018 10:15:41 GMT

yoursearch |rex (?P<field1>\w+),(?P<field2>\w+),(?P<field3>\w+),(?P<field4>\w+),(?P<field5>\w+),(?P<field6>\#\s\w+),(?P<field7>\#\w+\s\w+)

Re: rex to extract field from csv

ips_mandar — Thu, 05 Apr 2018 10:26:19 GMT

Try this regex when other fields are not surrounded by double quotes:

rex ",(?<completed>\d),(?<notCompleted>\d)$"

Re: rex to extract field from csv

surekhasplunk — Thu, 05 Apr 2018 11:52:15 GMT

Its not working giving me error at field2 as it has got comma inside the name i believe

Re: rex to extract field from csv

splunker12er — Thu, 05 Apr 2018 11:56:36 GMT

Does all your data will have the same comma or only for this particular event?

Re: rex to extract field from csv

surekhasplunk — Thu, 05 Apr 2018 12:14:45 GMT

only for that particular event .. As other events might have 2 commas or might not have comma at all. for that column
Can we just ignore writing rex for those fields as splunk already extracts them well . its just that m more worried about the last 2 fields.

Re: rex to extract field from csv

splunker12er — Thu, 05 Apr 2018 12:21:50 GMT

try this,

yoursearch |rex '(?P<Emp_No>\d+),(?P<Emp_Name>\S+),(?P<Title>[\w|\s]+),(?P<Region>\w+),(?P<Country>[\w|\s]+),(?P<Completed>\d+),(?P<Not_Completed>\d+)' | table *

Re: rex to extract field from csv

splunker12er — Thu, 05 Apr 2018 12:23:52 GMT

i saved the results here - you can verify below

https://regex101.com/r/ZenZiK/1

Re: rex to extract field from csv

splunker12er — Thu, 05 Apr 2018 12:25:05 GMT

if this help, please vote/ mark as answered//...

🙂
thanks

Re: rex to extract field from csv

logloganathan — Thu, 05 Apr 2018 12:36:09 GMT

Could you please provide raw event to generate the Regex

Re: rex to extract field from csv

surekhasplunk — Mon, 09 Apr 2018 07:44:37 GMT

Thanks you very much @splunker12er and ips_mandar. I just tweaked a little and it worked like magic. i used $ to get the last field and rest like (?P\d) to get the fields.