Splunk Search

Can you help me build a regex to extract fields with different field delimiters?

nuaraujo
Path Finder

Hello all,

Can someone help me build a regex that may allow me to extract 3 different fields from events where all the fields are concatenated?

Example of the event(everything in one line):

Comment_type1|Code100|description of Code100|Comment_type1|Code101|description of Code101|Comment_type1|Code102|description of Code103|Comment_type2|Code201|description of Code201|Comment_type2|Code8000|description of Code8000|Comment_type2|Code8001|description of Code8001|Comment_type3|Code7001|description of Code7001|Comment_type3|Code9001|description of Code9001|

What I would like to get:

fieldA|fieldB|fieldC
Comment_type1|Code100|description of Code100|
Comment_type1|Code101|description of Code101|
Comment_type1|Code102|description of Code103|
Comment_type2|Code201|description of Code201|
Comment_type2|Code8000|description of Code8000|
Comment_type2|Code8001|description of Code8001|
Comment_type3|Code7001|description of Code7001|
Comment_type3|Code9001|description of Code9001|

fieldA is always Comment_type1 OR Comment_type2 OR Comment_type3
fieldB its always a number with 3 or 4 digits
fieldC is a text string

Can someone help me with this?

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @nuaraujo,

Please try below regex

<yourBaseSearch> | rex field=_raw max_match=0 "(?<fieldA>Comment_type1|Comment_type2|Comment_type3)\|(?<fieldB>\w+\d{3,4})\|(?<fieldC>[^\|]*)\|?"

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi @nuaraujo,

Please try below regex

<yourBaseSearch> | rex field=_raw max_match=0 "(?<fieldA>Comment_type1|Comment_type2|Comment_type3)\|(?<fieldB>\w+\d{3,4})\|(?<fieldC>[^\|]*)\|?"

nuaraujo
Path Finder

Thanks @harsmarvania57 . You are awesome.

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...