Knowledge Management

Extract backslash separated field to multiple field ?

Real_captain
Path Finder

HI 
Can someone please help me to extract the multiple fields from a single backslash separated field using rex command. 

FIELD1 = ABCD/EFGH/IJ/KL/MN/OP/QRST

How to create the multiple fields using the field FIELD1 as below :

Field_1 = ABCD 
Field_2 = EFGH
Field_3 = IJ
Field_4 = KL
Field_5 = MN
Field_6 = OP
Field_7 = QRST

 

 

 

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The fields can be extracted using the rex command or by using the split function (and perhaps others).

 

| eval FIELDS = split(FIELD1, "/")
| rex field=FIELD1 max_match=0 "(?<FIELDS>[^\/]+)"

 

Both commands will extract the fields into a multi-value field so iyou'll need to assign them to separate fields.

| foreach 1 2 3 4 5 6 7 
    [eval FIELD_<<FIELD>>=mvindex(FIELDS,<<FIELD>>-1)]

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

Real_captain
Path Finder

Hi Team
Can someone please help me to extract the backslash separated field into multiple fields ? 

Example : Field is present in Splunk as below : 

Field = ABCD/EFG6/CR/IN/OU/XY/BMW

I need to use the rex command to extract the able field into 7 fields as below:

Field_1 = ABCD
Field_2 = EFG6
Field_3 = CR
Field_4 = IN
Field_5 = OU
Field_6 = XY
Field_7 = BMW

 

In case value of the file is below : 

Field = ABCD 
Then rex command generates the 7 fields as below : 

Field_1 = ABCD
Field_2 =  
Field_3 =  
Field_4 =  
Field_5 =  
Field_6 =  
Field_7 = 

 

 

 

0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @Real_captain 
This straight forward method may not work if your data format is changed. 

Using the "split" Command will be simple and effective method. 

|makeresults | eval FIELD1 = "ABCD/EFGH/IJ/KL/MN/OP/QRST" 
| rex field=FIELD1 "(?P<Field_1>\w+)\/(?P<Field_2>\w+)\/(?P<Field_3>\w+)\/(?P<Field_4>\w+)\/(?P<Field_5>\w+)\/(?P<Field_6>\w+)\/(?P<Field_7>\w+)"
| table FIELD1 Field_1 Field_2 Field_3 Field_4 Field_5 Field_6 Field_7

 

inventsekar_0-1728277767527.png

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

inventsekar
SplunkTrust
SplunkTrust

Hi @Real_captain May i know if the issue is resolved or not yet, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Those are slashes, not backslashes

2. Is the number of fields constant? If not, you can't use regex alone to split it into fields.

3. Isn't splitting the string with the eval split() function enough?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The fields can be extracted using the rex command or by using the split function (and perhaps others).

 

| eval FIELDS = split(FIELD1, "/")
| rex field=FIELD1 max_match=0 "(?<FIELDS>[^\/]+)"

 

Both commands will extract the fields into a multi-value field so iyou'll need to assign them to separate fields.

| foreach 1 2 3 4 5 6 7 
    [eval FIELD_<<FIELD>>=mvindex(FIELDS,<<FIELD>>-1)]

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...