Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex extraction and then concatenation of multiple capture groups

ebs
Communicator
‎08-04-2021 07:36 PM

Hi,

I have a log that has the following: dn=site,dn=com,dn=au

I would like to extract and concatenate all these fields into a single capture group with periods between the words so the extracted field looks like site.com.au

How can I do this with regex?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎08-04-2021 08:45 PM

your props against sourcetype/host/source should be deployed to SH.

## props.conf
[<your_st/host::/source::>]
EXTRACT-dn=(?<x>[^,]+),dn=(?<y>[^,]+),dn=(?<z>[^,]+)
EVAL-site=x.".".y.".".z

 

View solution in original post

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎08-04-2021 08:14 PM

@ebs try this

<your_search>
| rex "dn=(?<x>[^,]+),dn=(?<y>[^,]+),dn=(?<z>[^,]+)" 
| eval site=x.".".y.".".z
0 Karma
Reply
Solved! Jump to solution

ebs
Communicator
‎08-04-2021 08:16 PM

Thanks but I don't want to do it via a search and rex command. I want to do it as a field extraction. Do you have any insights on how to do it this way?

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎08-04-2021 08:45 PM

your props against sourcetype/host/source should be deployed to SH.

## props.conf
[<your_st/host::/source::>]
EXTRACT-dn=(?<x>[^,]+),dn=(?<y>[^,]+),dn=(?<z>[^,]+)
EVAL-site=x.".".y.".".z

 

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...