All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Unable to extract optional fields in splunk through regex

luv
Explorer
‎11-15-2013 07:38 AM

Hi, I have logs some what like this

......[ABC] - [YUP1,AConsole]
......[PQR] - [YUP1,PConsole]
......[ZAD] - [YUP1,DConsole]
......[SID] - [TYU3,2013-08-29,QConsole]
......[POP] - [TYU3,2013-08-30,TConsole]
......[IOL] - [TYU3,2013-09-01,XConsole]
......[DSW] - [GKFO,2013-09-12,iConsole,Payment1]
......[ESD] - [IOSD,2013-09-13,iConsole,Payment2]
......[ABC] - [YUP1,AConsole]
......[RTS] - [YUP1,RConsole]
......[SID] - [TYU3,2013-09-26,QConsole]
......[DSW] - [GKFO,2013-10-29,iConsole,Payment3]
......[EDS] - [EDC1,FConsole]

In the square brackets [(Field1),(Field2),(Field3),(Field4)] some of the fields are optional, they come and go in some events.

1st combination [(Field1),(Field3)]
2nd combination [(Field1),(Field2),(Field3)]
3rd combination [(Field1),(Field2),(Field3),(Field4)]
This means Field1 & Field3 are always there in the events but Field2 & Field4 are optional, I want to extract all of them.

This is the regex which i have come up with, But seems like it is not working for my case

rex field=_raw "\] - \[(?< Field1 >[^,]+)(,)?(?< Field2 >[^,]+)?,(?< Field3 >[^,\]]+)(,)?(< Field4 >[^\]]+)?"
PS- I have added a space between "<" and ">" because it text box was escaping it.
Any help would be really appreciated

Thanks 🙂

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-15-2013 08:20 AM

I think this will also work:

.+\[(?<FIELD1>[^,]+)\,?(?<FIELD2>[0-9-]+)?\,(?<FIELD3>\w+)\,?(?<FIELD4>\S+)?\]

View solution in original post

Reply
Solved! Jump to solution

d29priyanka
New Member
‎04-07-2015 12:52 PM

Hi I have events look like this:

DISKBSIZE,T0001,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0
DISKBSIZE,T3729,8.0,4.0,0.0,7.4,4.0,4.0,4.0,0.0,10.8,0.0,0.0,6.0,0.0,4.0,6.0,0.0,10.5,0.0,8.0,4.0,4.0,0.0,8.7,4.0,8.4,5.7,4.0,9.3,0.0,5.5,0.0
DISKBSIZE,T3728,10.2,4.0,0.0,0.0,5.7,27.8,5.7,8.6
DISKBSIZE,T3729,0.0,4.0,11.3,0.0,0.0,10.8,0.0,6.0,0.0,5.3,4.0,0.0,11.1,0.0,4.0,6.0,0.0,5.6,0.0,13.9,0.0,4.0,5.3,17.1,0.0,9.3,0.0,10.0,5.4,6.7,4.0,13.2,0.0,8.0,0.0

Some fields come and go.Need a regex which extracts multiple fields.
Here is the regex which i came up with

|rex field=_raw "(?i)DISKBSIZE,(?P[^,]),(?P[^,]\d+),(?P[^,]\d+),(?P[^,]\d+),(?P[^,]\d+),(?P[^,]\d+),(?P[^,]\d+),(?P[^,]\d+),(?P[^,]\d+),(?P[^,]\d+),?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?,?(?P[^,]\d+)?"

0 Karma
Reply
Solved! Jump to solution
Solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-15-2013 08:20 AM

I think this will also work:

.+\[(?<FIELD1>[^,]+)\,?(?<FIELD2>[0-9-]+)?\,(?<FIELD3>\w+)\,?(?<FIELD4>\S+)?\]
Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-15-2013 12:56 PM

You probably don't need to escape the comma but it never hurts to be literal. I should have just escaped the last one too.

0 Karma
Reply
Solved! Jump to solution

luv
Explorer
‎11-15-2013 12:47 PM

just out of curiosity whats this "\" for?? between ".+\[(?[^,]+)" and ","
same with "?(?[0-9-]+)?" and ","
is there something which needs to be escaped?

0 Karma
Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-15-2013 12:22 PM

Thanks much!

0 Karma
Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-15-2013 11:59 AM

Please accept this answer by checking the check mark. Thanks!

0 Karma
Reply
Solved! Jump to solution

luv
Explorer
‎11-15-2013 11:52 AM

that worked!!! thank you so much 🙂

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-15-2013 08:01 AM

You can use following. Assumption there are atleast 2 fields and they are separated by comma. You can add more eval statements if you have more fields.

..your search..| rex field=_raw ".*\[(?<fieldlist>[^\]]+)" |eval fieldlist=split(fieldlist,",") 
| eval fieldcount=mvcount(fieldlist) 
| eval field1=mvindex(fieldlist,0) 
| eval field2=case(fieldcount > 2,mvindex(fieldlist,1),1=1,"")
| eval field3=case(fieldcount > 2,mvindex(fieldlist,2),1=1,mvindex(fieldlist,1))
| eval field4=case(fieldcount > 3,mvindex(fieldlist,3),1=1,"")
Reply
Solved! Jump to solution

luv
Explorer
‎11-15-2013 11:54 AM

This is really cool way to extract fields,it worked....Will definitely try more of this in future 🙂

0 Karma
Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎11-15-2013 07:46 AM

You said: This means Field1 & Field3 are always there in the events but Field3 & Field4 are optional, I want to extract all of them.

Did you mean Field2 & Field4 are optional?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...