Solved: field extraction - regex handle fields with no va...

pc1234 · ‎04-23-2021

I'm trying to write a field extraction on the search head using a regex .

the sample data is as follows

FIELDS: user,email,type,ip

EVENT1: abc,abc@xyz.com,password ,127.0.0.1

EVENT2: xyz,,,127.0.0.5

the fields are comma-delimited whether or not there are values for each fields . In second event, email and type fields have no values(user and ip fields ALWAYS have values)

Can someone assist me in a regex to handle all fields? if the field has no value (email or type) assign no values to the fields .

Thanks in advance.

ITWhisperer · ‎04-23-2021

| rex "(?<user>[^,]*),(?<email>[^,]*),(?<type>[^,]*),(?<ip>[^,]*)"

View solution in original post

ITWhisperer · ‎04-23-2021

| rex "(?<user>[^,]*),(?<email>[^,]*),(?<type>[^,]*),(?<ip>[^,]*)"

field extraction - regex handle fields with no values

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation