Solved: Re: Copy and then parse a field

a212830 · ‎05-13-2019

Hi,

I have a field that already exists, and I want to parse it out into a new field, using props/transforms. The field is surrounded in brackets, so it's in this format:

<COMPID> these are some values </COMPID>

The entired feed is bracket enclosed (but not xml). I've never done this before, and the regex is killing me as well. Can anyone help?

MuS · ‎05-13-2019

Hi a212830,

see this answer https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html
but you will use this settings in transforms.conf :

REGEX = \>([^\<]+)\<
FORMAT = MyNewFieldName::$1

This will create a new field called MyNewFieldName containing this value these are some values.

Hope this helps ...

cheers, MuS

View solution in original post

sloshburch · ‎07-01-2019

Hey @a212830, is this a duplicate post to your Help with props and transforms?

MuS · ‎05-13-2019

Hi a212830,

see this answer https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html
but you will use this settings in transforms.conf :

REGEX = \>([^\<]+)\<
FORMAT = MyNewFieldName::$1

This will create a new field called MyNewFieldName containing this value these are some values.

Hope this helps ...

cheers, MuS

a212830 · ‎06-06-2019

Sorry, getting back to this... not sure this will work, as every field is bracket <> seperated. I need something that will extract the first string within the values. It contains multiple, white space seperated values.

<COMPID>string1 string2 string3 string4</COMPID>

MuS · ‎06-06-2019

Sure this will work, I just did not understood it correct 😉

In this case try this regex:

REGEX = \>([^\s]+)\s

this will get string1 from your example as value of the MyNewFieldName.

cheers, MuS

Copy and then parse a field

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!