All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need to compile a regex for a field

mmohiuddin
Path Finder
‎07-01-2015 09:21 AM

I have a field called STATUS that is displaying two values:

STATUS=In

STATUS=IN

I need to create a regex that would extract both the values and create a single field called Status.

Is there a way to do it?

There is an option [c|C] that can be used to ignore case sensitive phrases but I am unable to extract the right regex.

0 Karma
Reply

mmohiuddin
Path Finder
‎07-01-2015 10:51 AM

I was able to find a fix for my search.

We can use:

| eval STATUS = lower(STATUS) | ..

to merge both the upper case and lower case word results

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-01-2015 09:30 AM

Having some sample events would help, but this should get you started. You can also go to www.regex101.com to test regex strings.

... | rex "STATUS=(?P<Status>\w+)" | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...