Solved: Re: Regex extraction and then concatenation of mul...

ebs · ‎08-04-2021

Hi,

I have a log that has the following: dn=site,dn=com,dn=au

I would like to extract and concatenate all these fields into a single capture group with periods between the words so the extracted field looks like site.com.au

How can I do this with regex?

venkatasri · ‎08-04-2021

your props against sourcetype/host/source should be deployed to SH.

## props.conf
[<your_st/host::/source::>]
EXTRACT-dn=(?<x>[^,]+),dn=(?<y>[^,]+),dn=(?<z>[^,]+)
EVAL-site=x.".".y.".".z

View solution in original post

venkatasri · ‎08-04-2021

@ebs try this

<your_search>
| rex "dn=(?<x>[^,]+),dn=(?<y>[^,]+),dn=(?<z>[^,]+)" 
| eval site=x.".".y.".".z

ebs · ‎08-04-2021

Thanks but I don't want to do it via a search and rex command. I want to do it as a field extraction. Do you have any insights on how to do it this way?

venkatasri · ‎08-04-2021

your props against sourcetype/host/source should be deployed to SH.

## props.conf
[<your_st/host::/source::>]
EXTRACT-dn=(?<x>[^,]+),dn=(?<y>[^,]+),dn=(?<z>[^,]+)
EVAL-site=x.".".y.".".z

Regex extraction and then concatenation of multiple capture groups

field extraction

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

Regex extraction and then concatenation of multiple capture groups

field extraction

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!