Solved: Extract backslash separated field to multiple fiel...

Real_captain · ‎10-06-2024

HI
Can someone please help me to extract the multiple fields from a single backslash separated field using rex command.

FIELD1 = ABCD/EFGH/IJ/KL/MN/OP/QRST

How to create the multiple fields using the field FIELD1 as below :

Field_1 = ABCD
Field_2 = EFGH
Field_3 = IJ
Field_4 = KL
Field_5 = MN
Field_6 = OP
Field_7 = QRST

richgalloway · ‎10-06-2024

The fields can be extracted using the rex command or by using the split function (and perhaps others).

| eval FIELDS = split(FIELD1, "/")

| rex field=FIELD1 max_match=0 "(?<FIELDS>[^\/]+)"

Both commands will extract the fields into a multi-value field so iyou'll need to assign them to separate fields.

| foreach 1 2 3 4 5 6 7 
    [eval FIELD_<<FIELD>>=mvindex(FIELDS,<<FIELD>>-1)]

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Real_captain · ‎10-06-2024

Hi Team
Can someone please help me to extract the backslash separated field into multiple fields ?

Example : Field is present in Splunk as below :

Field = ABCD/EFG6/CR/IN/OU/XY/BMW

I need to use the rex command to extract the able field into 7 fields as below:

Field_1 = ABCD
Field_2 = EFG6
Field_3 = CR
Field_4 = IN
Field_5 = OU
Field_6 = XY
Field_7 = BMW

In case value of the file is below :

Field = ABCD
Then rex command generates the 7 fields as below :

Field_1 = ABCD
Field_2 =
Field_3 =
Field_4 =
Field_5 =
Field_6 =
Field_7 =

inventsekar · ‎10-06-2024

Hi @Real_captain
This straight forward method may not work if your data format is changed.

Using the "split" Command will be simple and effective method.

|makeresults | eval FIELD1 = "ABCD/EFGH/IJ/KL/MN/OP/QRST" 
| rex field=FIELD1 "(?P<Field_1>\w+)\/(?P<Field_2>\w+)\/(?P<Field_3>\w+)\/(?P<Field_4>\w+)\/(?P<Field_5>\w+)\/(?P<Field_6>\w+)\/(?P<Field_7>\w+)"
| table FIELD1 Field_1 Field_2 Field_3 Field_4 Field_5 Field_6 Field_7

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

inventsekar · ‎10-10-2024

Hi @Real_captain May i know if the issue is resolved or not yet, thanks.

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

PickleRick · ‎10-06-2024

1. Those are slashes, not backslashes

2. Is the number of fields constant? If not, you can't use regex alone to split it into fields.

3. Isn't splitting the string with the eval split() function enough?

richgalloway · ‎10-06-2024

The fields can be extracted using the rex command or by using the split function (and perhaps others).

| eval FIELDS = split(FIELD1, "/")

| rex field=FIELD1 max_match=0 "(?<FIELDS>[^\/]+)"

Both commands will extract the fields into a multi-value field so iyou'll need to assign them to separate fields.

| foreach 1 2 3 4 5 6 7 
    [eval FIELD_<<FIELD>>=mvindex(FIELDS,<<FIELD>>-1)]

---
If this reply helps you, Karma would be appreciated.

Extract backslash separated field to multiple field ?

monitoring console

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

SignalFlow: What? Why? How?