- Splunk Answers
- :
- Using Splunk
- :
- Alerting
- :
- Covert Object name into column name using back sla...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Covert Object name into column name using back slash
Hello Team,
Could anyone can help me in spiting Object name into column name
Like In Query we are getting Object name as in One Column :
R:\ClientReports\OpenCaseReport\DataFiles\AmeriHealth_Open\CaseReport_20101210.txt
I wanted to spit into 6 column as A ,B,C,D,E,F
Output will be like this
Header table : A |B|C|D|E|F
Row Data : R: |ClientReports|OpenCaseReport|DataFiles|AmeriHealthOpen|CaseReportt_20101210.txt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @shishirkumar,
Check out the rex command. You can use it to extract new fields from existing fields at search time:
| makeresults count=1 | eval Object_name="R:\ClientReports\OpenCaseReport\DataFiles\AmeriHealth_Open\CaseReport_20101210.txt"
| rex field=Object_name "^(?<A>[^\\\\]+)\\\\(?<B>[^\\\\]+)\\\\(?<C>[^\\\\]+)\\\\(?<D>[^\\\\]+)\\\\(?<E>[^\\\\]+)\\\\(?<F>[^\\\\]+)"
| table A,B,C,D,E,F
This will give you:
A B C D E F
R: ClientReports OpenCaseReport DataFiles AmeriHealth_Open CaseReport_20101210.txt
You could also save this regular expression as a field extraction so that it extracts the fields automatically.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it not working if i am remove hardcoded value that is "R:\ClientReports\OpenCaseReport\DataFiles\AmeriHealth_Open\CaseReport_20101210.txt" with my column name ?
Could You please help to resolve that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the name of the column?
Did you set "| rex field=YOUR_COLUMN_NAME ..." accordingly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults count=1 | eval Object_name=Object_name
| rex field=Object_name "^(?<A>[^\\\\]+)\\\\(?<B>[^\\\\]+)\\\\(?<C>[^\\\\]+)\\\\(?<D>[^\\\\]+)\\\\(?<E>[^\\\\]+)\\\\(?<F>[^\\\\]+)"
| table A,B,C,D,E,F
Object Name is column name
This is Original Query where I wanted to add this.
index=wineventlog host=ATLINFS3 sourcetype="WinEventLog:Security" ClientReports NOT "Symantec Endpoint Protection" Object_Name = ".PDF" OR Object_Name = ".XLSX" OR Object_Name = ".TXT" | where Account_Name!="svisadmin" and Object_Name != "~$$*" | stats count(Object_Name) as TotalCount by Object_Name | sort -TotalCount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try the following:
index=... | where ... | stats ... | sort ...
| rex field=Object_Name "^(?<A>[^\\\\]+)\\\\(?<B>[^\\\\]+)\\\\(?<C>[^\\\\]+)\\\\(?<D>[^\\\\]+)\\\\(?<E>[^\\\\]+)\\\\(?<F>[^\\\\]+)"
(The makeresults and eval line were just for testing purposes.)
I changed "rex field=Object_name" to "rex field=Object_Name". Field names are case sensitive.
If this does not work, could you post a screenshot of the results from this query? (Specifically of the Object_Name column.)
You can use regex101.com for testing regular expressions.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
