Field Extraction from another field

sumitkathpal292 · ‎11-08-2018

Hi All,

We have a email logs , which are getting extracted. However, field name "file" also extracting the Urls. My plan is to extract the new field "url" from field "file" . Under field name "url" (anything which start with http* should be part of this field ) remaining we can create new field called "files".

Example
file= test1.txt , test2.txt , https://www.google.com

New expected output
url=https://www.google.com
files=test1.txt , test2.txt

Thanks in advance.

FrankVl · ‎11-08-2018

Try this (first two lines are just to generate some sample data, replace those with your actual search):

| makeresults 
| eval file= "test1.txt , test2.txt , https://www.google.com";
| eval file = split(file,",")
| eval url = mvjoin(mvfilter(match(file,"^\s*http")),",")
| eval file = mvjoin(mvfilter(NOT match(file,"^\s*http")),",")

You might need to do some cleanup on spaces

And an alternative using rex to extract the urls into the url field and sed to clean up the file field:

| makeresults 
| eval file= "http://try.me , test1.txt , http://test.nl , test2.txt , https://www.google.com";
| rex field=file max_match=0 "(?<url>http[^,\s]+)"
| eval url = mvjoin(url," , ")
| rex field=file mode=sed "s/ , http[^,\s]+( ,)?/\1/g"
| rex field=file mode=sed "s/^http[^,\s]+( , )?//g"

accsam · ‎11-08-2018

try this
...|rex field=file "(?.+[^\,]+)\,(?https.*)"

Field Extraction from another field

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

The Great Resilience Quest: 9th Leaderboard Update