All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field Extraction from another field

sumitkathpal292
New Member
‎11-08-2018 01:49 AM

Hi All,

We have a email logs , which are getting extracted. However, field name "file" also extracting the Urls. My plan is to extract the new field "url" from field "file" . Under field name "url" (anything which start with http* should be part of this field ) remaining we can create new field called "files".

Example
file= test1.txt , test2.txt , https://www.google.com

New expected output
url=https://www.google.com
files=test1.txt , test2.txt

Thanks in advance.

0 Karma
Reply

FrankVl
Ultra Champion
‎11-08-2018 02:50 AM

Try this (first two lines are just to generate some sample data, replace those with your actual search):

| makeresults 
| eval file= "test1.txt , test2.txt , https://www.google.com";
| eval file = split(file,",")
| eval url = mvjoin(mvfilter(match(file,"^\s*http")),",")
| eval file = mvjoin(mvfilter(NOT match(file,"^\s*http")),",")

You might need to do some cleanup on spaces

And an alternative using rex to extract the urls into the url field and sed to clean up the file field:

| makeresults 
| eval file= "http://try.me , test1.txt , http://test.nl , test2.txt , https://www.google.com";
| rex field=file max_match=0 "(?<url>http[^,\s]+)"
| eval url = mvjoin(url," , ")
| rex field=file mode=sed "s/ , http[^,\s]+( ,)?/\1/g"
| rex field=file mode=sed "s/^http[^,\s]+( , )?//g"
0 Karma
Reply

accsam
New Member
‎11-08-2018 02:02 AM

try this
...|rex field=file "(?.+[^\,]+)\,(?https.*)"

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...