Archive
Highlighted

Copy and then parse a field

Champion

Hi,

I have a field that already exists, and I want to parse it out into a new field, using props/transforms. The field is surrounded in brackets, so it's in this format:

<COMPID> these are some values </COMPID>

The entired feed is bracket enclosed (but not xml). I've never done this before, and the regex is killing me as well. Can anyone help?

0 Karma
Highlighted

Re: Copy and then parse a field

SplunkTrust
SplunkTrust

Hi a212830,

see this answer https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html
but you will use this settings in transforms.conf :

REGEX = \>([^\<]+)\<
FORMAT = MyNewFieldName::$1

This will create a new field called MyNewFieldName containing this value these are some values.

Hope this helps ...

cheers, MuS

View solution in original post

Highlighted

Re: Copy and then parse a field

Champion

Sorry, getting back to this... not sure this will work, as every field is bracket <> seperated. I need something that will extract the first string within the values. It contains multiple, white space seperated values.

<COMPID>string1 string2 string3 string4</COMPID>
0 Karma
Highlighted

Re: Copy and then parse a field

SplunkTrust
SplunkTrust

Sure this will work, I just did not understood it correct 😉

In this case try this regex:

REGEX = \>([^\s]+)\s

this will get string1 from your example as value of the MyNewFieldName.

cheers, MuS

0 Karma
Highlighted

Re: Copy and then parse a field

Ultra Champion

Hey @a212830, is this a duplicate post to your Help with props and transforms?

0 Karma