Knowledge Management

Extract backslash separated field to multiple field ?

Real_captain
Path Finder

HI 
Can someone please help me to extract the multiple fields from a single backslash separated field using rex command. 

FIELD1 = ABCD/EFGH/IJ/KL/MN/OP/QRST

How to create the multiple fields using the field FIELD1 as below :

Field_1 = ABCD 
Field_2 = EFGH
Field_3 = IJ
Field_4 = KL
Field_5 = MN
Field_6 = OP
Field_7 = QRST

 

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The fields can be extracted using the rex command or by using the split function (and perhaps others).

 

| eval FIELDS = split(FIELD1, "/")
| rex field=FIELD1 max_match=0 "(?<FIELDS>[^\/]+)"

 

Both commands will extract the fields into a multi-value field so iyou'll need to assign them to separate fields.

| foreach 1 2 3 4 5 6 7 
    [eval FIELD_<<FIELD>>=mvindex(FIELDS,<<FIELD>>-1)]

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

Real_captain
Path Finder

Hi Team
Can someone please help me to extract the backslash separated field into multiple fields ? 

Example : Field is present in Splunk as below : 

Field = ABCD/EFG6/CR/IN/OU/XY/BMW

I need to use the rex command to extract the able field into 7 fields as below:

Field_1 = ABCD
Field_2 = EFG6
Field_3 = CR
Field_4 = IN
Field_5 = OU
Field_6 = XY
Field_7 = BMW

 

In case value of the file is below : 

Field = ABCD 
Then rex command generates the 7 fields as below : 

Field_1 = ABCD
Field_2 =  
Field_3 =  
Field_4 =  
Field_5 =  
Field_6 =  
Field_7 = 

 

 

 

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @Real_captain 
This straight forward method may not work if your data format is changed. 

Using the "split" Command will be simple and effective method. 

|makeresults | eval FIELD1 = "ABCD/EFGH/IJ/KL/MN/OP/QRST" 
| rex field=FIELD1 "(?P<Field_1>\w+)\/(?P<Field_2>\w+)\/(?P<Field_3>\w+)\/(?P<Field_4>\w+)\/(?P<Field_5>\w+)\/(?P<Field_6>\w+)\/(?P<Field_7>\w+)"
| table FIELD1 Field_1 Field_2 Field_3 Field_4 Field_5 Field_6 Field_7

 

inventsekar_0-1728277767527.png

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @Real_captain May i know if the issue is resolved or not yet, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Those are slashes, not backslashes

2. Is the number of fields constant? If not, you can't use regex alone to split it into fields.

3. Isn't splitting the string with the eval split() function enough?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The fields can be extracted using the rex command or by using the split function (and perhaps others).

 

| eval FIELDS = split(FIELD1, "/")
| rex field=FIELD1 max_match=0 "(?<FIELDS>[^\/]+)"

 

Both commands will extract the fields into a multi-value field so iyou'll need to assign them to separate fields.

| foreach 1 2 3 4 5 6 7 
    [eval FIELD_<<FIELD>>=mvindex(FIELDS,<<FIELD>>-1)]

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...