#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I use erex to create fields?

GuillermoRamos
Engager
‎11-29-2021 08:18 AM

How can I erex a line TRUE, FALSE, TRUE,, FALSE, FALSE, FALSE, , FALSE, FALSE  source =" an imported CSV" the multiple true and false on the line have different column names. I am trying to create a label for each true and false following a reference sheet.

 

 

 

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2021 09:43 AM

There are a couple of ways to do that.

You can use rex at search time.

index=foo
| rex "(?<OAM>\w+), (?<disabled>\w+), (?<field3>\w+), (?<field4>\w+), (?<field5>\w+), (?<field6>\w+), (?<field7>\w+), (?<field8>\w+)"
| table OAM, disabled field3 field4 field5 field6 field7 field8

Other way is parse it at index-time using a REGEX in transforms.conf:

[parseflags]
REGEX = (\w+), (\w+), (\w+), (\w+), (\w+), (\w+), (\w+), (\w+)
FORMAT = OAM::$1 disabled::$2 field3::$3 field4::$4 field5::$5 field6::$6 field7::$7 field8::$8

Then invoke that transform in props.conf:

[mysourcetype]
TRANFORM-parse = parseflags
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2021 09:43 AM

There are a couple of ways to do that.

You can use rex at search time.

index=foo
| rex "(?<OAM>\w+), (?<disabled>\w+), (?<field3>\w+), (?<field4>\w+), (?<field5>\w+), (?<field6>\w+), (?<field7>\w+), (?<field8>\w+)"
| table OAM, disabled field3 field4 field5 field6 field7 field8

Other way is parse it at index-time using a REGEX in transforms.conf:

[parseflags]
REGEX = (\w+), (\w+), (\w+), (\w+), (\w+), (\w+), (\w+), (\w+)
FORMAT = OAM::$1 disabled::$2 field3::$3 field4::$4 field5::$5 field6::$6 field7::$7 field8::$8

Then invoke that transform in props.conf:

[mysourcetype]
TRANFORM-parse = parseflags
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

GuillermoRamos
Engager
‎11-29-2021 10:55 AM

That worked. Thank you

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2021 12:19 PM

Which method did you use?

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

GuillermoRamos
Engager
‎11-29-2021 08:28 AM

So, I have multiple false and trues back to back and each one has a different meaning. I am trying to create fields for each one. For example, the first true/false =indicates if OAM is managed on computer, second true/false = is computer disabled. The way the results populate after indexing are literally TRUE, FALSE, TRUE,, FALSE, FALSE, FALSE, , FALSE, FALSE.

I hope that makes sense.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2021 08:20 AM

What problem are you trying to solve?  Chances are, erex is not the answer (it almost never is), but we need to know what it is you are trying to do.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
Top