#Random
This is a place to discuss all things outside of Splunk, its products, and its use cases.
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I use erex to create fields?

GuillermoRamos
Engager
‎11-29-2021 08:18 AM

How can I erex a line TRUE, FALSE, TRUE,, FALSE, FALSE, FALSE, , FALSE, FALSE  source =" an imported CSV" the multiple true and false on the line have different column names. I am trying to create a label for each true and false following a reference sheet.

 

 

 

 

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2021 09:43 AM

There are a couple of ways to do that.

You can use rex at search time.

index=foo
| rex "(?<OAM>\w+), (?<disabled>\w+), (?<field3>\w+), (?<field4>\w+), (?<field5>\w+), (?<field6>\w+), (?<field7>\w+), (?<field8>\w+)"
| table OAM, disabled field3 field4 field5 field6 field7 field8

Other way is parse it at index-time using a REGEX in transforms.conf:

[parseflags]
REGEX = (\w+), (\w+), (\w+), (\w+), (\w+), (\w+), (\w+), (\w+)
FORMAT = OAM::$1 disabled::$2 field3::$3 field4::$4 field5::$5 field6::$6 field7::$7 field8::$8

Then invoke that transform in props.conf:

[mysourcetype]
TRANFORM-parse = parseflags
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2021 09:43 AM

There are a couple of ways to do that.

You can use rex at search time.

index=foo
| rex "(?<OAM>\w+), (?<disabled>\w+), (?<field3>\w+), (?<field4>\w+), (?<field5>\w+), (?<field6>\w+), (?<field7>\w+), (?<field8>\w+)"
| table OAM, disabled field3 field4 field5 field6 field7 field8

Other way is parse it at index-time using a REGEX in transforms.conf:

[parseflags]
REGEX = (\w+), (\w+), (\w+), (\w+), (\w+), (\w+), (\w+), (\w+)
FORMAT = OAM::$1 disabled::$2 field3::$3 field4::$4 field5::$5 field6::$6 field7::$7 field8::$8

Then invoke that transform in props.conf:

[mysourcetype]
TRANFORM-parse = parseflags
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

GuillermoRamos
Engager
‎11-29-2021 10:55 AM

That worked. Thank you

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2021 12:19 PM

Which method did you use?

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

GuillermoRamos
Engager
‎11-29-2021 08:28 AM

So, I have multiple false and trues back to back and each one has a different meaning. I am trying to create fields for each one. For example, the first true/false =indicates if OAM is managed on computer, second true/false = is computer disabled. The way the results populate after indexing are literally TRUE, FALSE, TRUE,, FALSE, FALSE, FALSE, , FALSE, FALSE.

I hope that makes sense.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎11-29-2021 08:20 AM

What problem are you trying to solve?  Chances are, erex is not the answer (it almost never is), but we need to know what it is you are trying to do.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...