Solved: Rex field

Azwaliyana · ‎11-15-2021

I want to extract the Country and the Node. When I use the rex in regex101, it works fine. But when I put it on Splunk search, it did not extract the Country and the Node. Do you guys know where is my mistake?

This is my search query.

index="maxis_csaroam_index" source="/home/csaops/csaroam/*_MOS.csv" 
| dedup Description
| table Description
| rex field=Description "(?<Country>[\w]+)(?<Node>[\w\- ]*\n)"

ITWhisperer · ‎11-15-2021

Try without the newline in the match

| rex field=Description "(?<Country>[\w]+)(?<Node>[\w\- ]+)"

View solution in original post

somesoni2 · ‎11-16-2021

Give this a try (avoided using dedup command as well, best practice)

index="maxis_csaroam_index" source="/home/csaops/csaroam/*_MOS.csv" 
| stats count by Description
| table Description
| rex field=Description "(?<Country>\S+)\s+(?<Node>\S+)"

bhargavi · ‎11-15-2021

Hi @Azwaliyana ,

Try this.

| rex field=Description "(?<Country>\w+)\s(?<Node>\w*\-?\w+)"

ITWhisperer · ‎11-15-2021

Try without the newline in the match

| rex field=Description "(?<Country>[\w]+)(?<Node>[\w\- ]+)"

Rex field

troubleshooting

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms