Splunk Search

Can you help me build a regex to extract fields with different field delimiters?

nuaraujo
Path Finder

Hello all,

Can someone help me build a regex that may allow me to extract 3 different fields from events where all the fields are concatenated?

Example of the event(everything in one line):

Comment_type1|Code100|description of Code100|Comment_type1|Code101|description of Code101|Comment_type1|Code102|description of Code103|Comment_type2|Code201|description of Code201|Comment_type2|Code8000|description of Code8000|Comment_type2|Code8001|description of Code8001|Comment_type3|Code7001|description of Code7001|Comment_type3|Code9001|description of Code9001|

What I would like to get:

fieldA|fieldB|fieldC
Comment_type1|Code100|description of Code100|
Comment_type1|Code101|description of Code101|
Comment_type1|Code102|description of Code103|
Comment_type2|Code201|description of Code201|
Comment_type2|Code8000|description of Code8000|
Comment_type2|Code8001|description of Code8001|
Comment_type3|Code7001|description of Code7001|
Comment_type3|Code9001|description of Code9001|

fieldA is always Comment_type1 OR Comment_type2 OR Comment_type3
fieldB its always a number with 3 or 4 digits
fieldC is a text string

Can someone help me with this?

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @nuaraujo,

Please try below regex

<yourBaseSearch> | rex field=_raw max_match=0 "(?<fieldA>Comment_type1|Comment_type2|Comment_type3)\|(?<fieldB>\w+\d{3,4})\|(?<fieldC>[^\|]*)\|?"

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi @nuaraujo,

Please try below regex

<yourBaseSearch> | rex field=_raw max_match=0 "(?<fieldA>Comment_type1|Comment_type2|Comment_type3)\|(?<fieldB>\w+\d{3,4})\|(?<fieldC>[^\|]*)\|?"

nuaraujo
Path Finder

Thanks @harsmarvania57 . You are awesome.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...