Solved: Re: Regex extraction and then concatenation of mul...

ebs · ‎08-04-2021

Hi,

I have a log that has the following: dn=site,dn=com,dn=au

I would like to extract and concatenate all these fields into a single capture group with periods between the words so the extracted field looks like site.com.au

How can I do this with regex?

venkatasri · ‎08-04-2021

your props against sourcetype/host/source should be deployed to SH.

## props.conf
[<your_st/host::/source::>]
EXTRACT-dn=(?<x>[^,]+),dn=(?<y>[^,]+),dn=(?<z>[^,]+)
EVAL-site=x.".".y.".".z

View solution in original post

venkatasri · ‎08-04-2021

@ebs try this

<your_search>
| rex "dn=(?<x>[^,]+),dn=(?<y>[^,]+),dn=(?<z>[^,]+)" 
| eval site=x.".".y.".".z

ebs · ‎08-04-2021

Thanks but I don't want to do it via a search and rex command. I want to do it as a field extraction. Do you have any insights on how to do it this way?

venkatasri · ‎08-04-2021

your props against sourcetype/host/source should be deployed to SH.

## props.conf
[<your_st/host::/source::>]
EXTRACT-dn=(?<x>[^,]+),dn=(?<y>[^,]+),dn=(?<z>[^,]+)
EVAL-site=x.".".y.".".z

Regex extraction and then concatenation of multiple capture groups

field extraction

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Regex extraction and then concatenation of multiple capture groups

field extraction

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability