Splunk Search

Creating multiple fields by extracting values from single field

mbasharat
Builder

Hi,

I have a field name Family. This field contain names of husband and wife in below Figure 1 format:
alt text

All values for field “Family” are populated in above format. In value 1, Newman is the Last Name for both husband and wife. In value 2, Stewart is the Last Name for both husband and wife. Likewise will be for the rest of the values.

What I need is, from one Family field value, I need to extract Husband’s Full Name, Husband’s First Name, Husband’s Middle Initial, Husband’s Last Name, Wife’s Full Name, Wife’s Middle Initial, Wife’s Last Name in below Figure 2 format, how?

alt text

RegEx gives headache but if I have to have it then still ok but multiple evals will be better because it is easily understandable.

Thanks in-advance for assistance!!!

Tags (1)
0 Karma
1 Solution

renjith_nair
Legend

@mbasharat ,

If the format of the field is same across all events, try

| rex field=Family "(?<Husband_First_Name>\w+)\s+(?<Husband_Middle_Name>\w+)\s+&\s+(?<Wife_First_Name>\w+)\s+(?<Wife_Middle_Name>\w+)\s+(?<LastName>\w+)"

Once the fields are available, you can concatenate them for e.g.

eval Husband_Name=Husband_First_Name." ".Husband_Middle_Name." ".LastName
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma

renjith_nair
Legend

@mbasharat ,

If the format of the field is same across all events, try

| rex field=Family "(?<Husband_First_Name>\w+)\s+(?<Husband_Middle_Name>\w+)\s+&\s+(?<Wife_First_Name>\w+)\s+(?<Wife_Middle_Name>\w+)\s+(?<LastName>\w+)"

Once the fields are available, you can concatenate them for e.g.

eval Husband_Name=Husband_First_Name." ".Husband_Middle_Name." ".LastName
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

mbasharat
Builder

Also, is there a free tool or web portal where I can create these RegExs conveniently?

0 Karma

mbasharat
Builder

Ranith...with slight adjustment for my use case....it worked perfectly...THANK YOU!!!! I will be reaching out to you for alike RegEx assistance if I may? 🙂

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...