Re: Field Extraction from another field

sumitkathpal292 · ‎11-08-2018

Hi All,

We have a email logs , which are getting extracted. However, field name "file" also extracting the Urls. My plan is to extract the new field "url" from field "file" . Under field name "url" (anything which start with http* should be part of this field ) remaining we can create new field called "files".

Example
file= test1.txt , test2.txt , https://www.google.com

New expected output
url=https://www.google.com
files=test1.txt , test2.txt

Thanks in advance.

FrankVl · ‎11-08-2018

Try this (first two lines are just to generate some sample data, replace those with your actual search):

| makeresults 
| eval file= "test1.txt , test2.txt , https://www.google.com";
| eval file = split(file,",")
| eval url = mvjoin(mvfilter(match(file,"^\s*http")),",")
| eval file = mvjoin(mvfilter(NOT match(file,"^\s*http")),",")

You might need to do some cleanup on spaces

And an alternative using rex to extract the urls into the url field and sed to clean up the file field:

| makeresults 
| eval file= "http://try.me , test1.txt , http://test.nl , test2.txt , https://www.google.com";
| rex field=file max_match=0 "(?<url>http[^,\s]+)"
| eval url = mvjoin(url," , ")
| rex field=file mode=sed "s/ , http[^,\s]+( ,)?/\1/g"
| rex field=file mode=sed "s/^http[^,\s]+( , )?//g"

accsam · ‎11-08-2018

try this
...|rex field=file "(?.+[^\,]+)\,(?https.*)"

Field Extraction from another field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation