Splunk ITSI
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Combining Splunk ITSI regular expression SPL?

AnushaJone
New Member
‎05-09-2023 08:57 PM

I need help to combine line 1 and 2 make it as one regular expression line in SPL query 

1.      | rex "(?<object>gov\.usda\.fsa\.[^\s]+)"
2.      | eval object=split(coalesce(object, "NA"),"."),object=mvindex(object,-1)

 

Please help!

Labels (1)
Labels
0 Karma
Reply

yeahnah
Motivator
‎05-09-2023 09:34 PM

Hi @AnushaJone 

You've not provided any example the raw event and the expected outcome of the rex.  So, assuming you are looking for the top-level domain each time, then here is a run anywhere example of what to do...

 

| makeresults
| eval _raw="gov.usda.fsa.blah"
| rex "(?<object>gov\.usda\.fsa\.[^\s]+)"
| eval object=split(coalesce(object, "NA"),"."), object=mvindex(object,-1)
| rex "gov\.usda\.fsa\.(?<object2>[^\s]+)"

 

So the last rex line gives the same result and the rex and eval above.  However, maybe you're looking for something more generic ¯\_(ツ)_/¯

Hope it helps


0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...