Solved: rex syntax help

verifi81 · ‎05-11-2021

Hi I have a search that his the Field of Username and 3 sample values

Username
Bob Marley Peter,
Sammy Dolphin Green,
Larry Macy Jr,

I need help with the rex syntax that keeps the first and middle name separate, but joins the middle and last name while dropping the apostophe

In essence, i want the end result to be like this:

Username2
Bob MarleyPeter
Sammy DolphinGreen
Larry MacyJr

Please help correct this syntax:
| rex field=blah "(?i)username=(?<username2>[^,]+) | table username2

javiergn · ‎05-11-2021

Hi, you don't really need rex for that, although you could use rex with sed mode to achieve pretty much the same as this:

| eval Username2 = split(Username, " ")
| eval Username2 = mvindex(Username2, 0) . " " . mvjoin(mvindex(Username2,1,-1),"")

Screenshot from my lab:

View solution in original post

javiergn · ‎05-11-2021

Hi, you don't really need rex for that, although you could use rex with sed mode to achieve pretty much the same as this:

| eval Username2 = split(Username, " ")
| eval Username2 = mvindex(Username2, 0) . " " . mvjoin(mvindex(Username2,1,-1),"")

Screenshot from my lab:

verifi81 · ‎05-11-2021

Javiergn, thank you so much.

I forgot to add a .

What would I add to that to make the results look like this:

Username2
Bob.MarleyPeter
Sammy.DolphinGreen
Larry.MacyJr

verifi81 · ‎05-11-2021

I figured it out. This will give me what I want

| eval Username2 = split(Username, " ")
| eval Username2 = mvindex(Username2, 0) . "." . mvjoin(mvindex(Username2,1,-1),"")

This is very complex. Would you be kind enough to provide me a link that you would recommend a novice to study so that I can understand every aspect of the above command?

javiergn · ‎05-11-2021

Sure no problem. The commands are actually relatively simple to understand:

split: https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/MultivalueEvalFunctions#split.28X...

mvindex: https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/MultivalueEvalFunctions#mvindex.2...

mvjoin: https://docs.splunk.com/Documentation/Splunk/8.1.3/SearchReference/MultivalueEvalFunctions#mvjoin.28...

In a nutshell, what the code above is doing is:

- Create field Username2 from splitting Username by blank spaces. Which creates a multivalue field (a field with several values, like an array)

- Then update Username2 by taking the first member of the this array with mvindex and join (using mvjoin) with all the remaining members of the array joined by "no space", (the double quotes). Which is the same as saying start at member 1 (remember that first member is 0) and then finish by member -1, which is the last one but without having to precalculate the length of your array.

This code will also work if your users have more than one middle or last name.

I hope that makes sense and if you are happy with the answer please don't forget to accept it as solution so that others can benefit from it.

verifi81 · ‎05-14-2021

Thank you very much for taking the time to explain this to me.

javiergn · ‎05-14-2021

Sure no problem. If you were happy with the answers please don’t forget to upvote them and give karma so that others can find them more easily too. Regards, J

rex syntax help

configuration

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?