Solved: Extract backslash separated field to multiple fiel...

Real_captain · ‎10-06-2024

HI
Can someone please help me to extract the multiple fields from a single backslash separated field using rex command.

FIELD1 = ABCD/EFGH/IJ/KL/MN/OP/QRST

How to create the multiple fields using the field FIELD1 as below :

Field_1 = ABCD
Field_2 = EFGH
Field_3 = IJ
Field_4 = KL
Field_5 = MN
Field_6 = OP
Field_7 = QRST

richgalloway · ‎10-06-2024

The fields can be extracted using the rex command or by using the split function (and perhaps others).

| eval FIELDS = split(FIELD1, "/")

| rex field=FIELD1 max_match=0 "(?<FIELDS>[^\/]+)"

Both commands will extract the fields into a multi-value field so iyou'll need to assign them to separate fields.

| foreach 1 2 3 4 5 6 7 
    [eval FIELD_<<FIELD>>=mvindex(FIELDS,<<FIELD>>-1)]

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-06-2024

The fields can be extracted using the rex command or by using the split function (and perhaps others).

| eval FIELDS = split(FIELD1, "/")

| rex field=FIELD1 max_match=0 "(?<FIELDS>[^\/]+)"

Both commands will extract the fields into a multi-value field so iyou'll need to assign them to separate fields.

| foreach 1 2 3 4 5 6 7 
    [eval FIELD_<<FIELD>>=mvindex(FIELDS,<<FIELD>>-1)]

---
If this reply helps you, Karma would be appreciated.

Real_captain · ‎10-06-2024

Hi Team
Can someone please help me to extract the backslash separated field into multiple fields ?

Example : Field is present in Splunk as below :

Field = ABCD/EFG6/CR/IN/OU/XY/BMW

I need to use the rex command to extract the able field into 7 fields as below:

Field_1 = ABCD
Field_2 = EFG6
Field_3 = CR
Field_4 = IN
Field_5 = OU
Field_6 = XY
Field_7 = BMW

In case value of the file is below :

Field = ABCD
Then rex command generates the 7 fields as below :

Field_1 = ABCD
Field_2 =
Field_3 =
Field_4 =
Field_5 =
Field_6 =
Field_7 =

inventsekar · ‎10-06-2024

Hi @Real_captain
This straight forward method may not work if your data format is changed.

Using the "split" Command will be simple and effective method.

|makeresults | eval FIELD1 = "ABCD/EFGH/IJ/KL/MN/OP/QRST" 
| rex field=FIELD1 "(?P<Field_1>\w+)\/(?P<Field_2>\w+)\/(?P<Field_3>\w+)\/(?P<Field_4>\w+)\/(?P<Field_5>\w+)\/(?P<Field_6>\w+)\/(?P<Field_7>\w+)"
| table FIELD1 Field_1 Field_2 Field_3 Field_4 Field_5 Field_6 Field_7

inventsekar · ‎10-10-2024

Hi @Real_captain May i know if the issue is resolved or not yet, thanks.

PickleRick · ‎10-06-2024

1. Those are slashes, not backslashes

2. Is the number of fields constant? If not, you can't use regex alone to split it into fields.

3. Isn't splitting the string with the eval split() function enough?

Extract backslash separated field to multiple field ?

monitoring console

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

How to find the worst searches in your Splunk environment and how to fix them

Share Your Feedback: On Admin Config Service (ACS)!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

Join the Conversation