Solved: How to extract two new fields from one existing fi...

evallja · ‎08-04-2022

Hello everyone,

I have a field named SQL_NAME with values as per below (I'm writing two of them):

#1(8):EMEMEB #2(14):8/3/2022 0:0:0 #3(13):Ememe Behe #4(3):409 #5(0):
#1(6):TSUDE #2(14):8/1/2022 0:0:0 #3(10):Tugu Sude #4(3):411 #5(0):

and I want to extract two fields named user and name with their values in the bold strings above using regular expression. Any idea?

Thank you in advance.

richgalloway · ‎08-04-2022

Try this command.

| rex field=SQL_NAME "\d+\):(?<user>\S+).*?#3\(\d+\):(?<name>.*?)\s#"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-04-2022

Try this command.

| rex field=SQL_NAME "\d+\):(?<user>\S+).*?#3\(\d+\):(?<name>.*?)\s#"

---
If this reply helps you, Karma would be appreciated.

evallja · ‎08-04-2022

Thanks a lot! That worked like a charm!
May I ask if there is any regex generator that generates the regex form from just selecting a specific text?

richgalloway · ‎08-04-2022

Splunk's Field Extractor feature will do that, but the expressions it generates are not optimal.

I have not used any other regex generators.

---
If this reply helps you, Karma would be appreciated.

How to extract two new fields from one existing field using regex?

scheduled search

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms