Splunk Search

Extract field value after special characters from delimiter string

ramuzzini
Path Finder

Need help cleaning up my rex command line with data delineated by (,) then extracting the value after the (=) character from fields: Location=, Computer=, User=, Date=

Sample index data:
        Index = computerlogs
        Field name: CompLog

Field values: 
        Loc=Warehouse, Comp=WH-SOC01, User= username1, Date=2025-03-18
        Loc=Warehouse, Comp=WH-SOC02, User= username2, Date=2025-03-20
        Loc=Warehouse, Comp=WH-SOC03, User= username1, Date=2025-03-24

Created a dashboard showing all logins with only computer name, user and date as below

Working query 

       index= computerlogs
       | rex field=CompLog"([^,]+,){1}(?<LogComp>[^,]+)"
       | rex field=LogComp "\=(?<Computer>[^,]+)"
       | rex field=CompLog"([^,]+,){2}(?<LogUser>[^,]+)"
       | rex field=LogUser"\=(?<User>[^,]+)"
       | rex field=CompLog"([^,]+,){3}(?<LogDate>[^,]+)"
       | rex field=LogDate "\=(?<Date>[^,]+)"
       | table Computer User Date

       Computer          User                  Date
       WH-SOC01       username1    2025-03-18
       WH-SOC02       username2    2025-03-20
       WH-SOC03       username1    2025-03-24

My ask is to clean up the above rex commands, so I only have one rex command line for each data field I am trying to capture if it is possible.  I tried to combine the two rex command lines into one.  I know I need to add the "\=" argument to get everything after the "=" character but get an error with my below try's.

      | rex field=CompLog"([^,]+,){1}\=(?<Computer>[^,]+)"
      | rex field=CompLog"([^,]+,){1}"\=(?<Computer>"[^,]+)"
      | rex field=CompLog"([^,]+,){1}"\=(?<Computer>[^",]+)"

Any help would be greatly appreciated.  Thanks.

Labels (1)
0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @ramuzzini 

How about this for a different approach? 

| eval json_data = "{" . replace(_raw, "(?<=,|^)([^=]+)=([^,]+)", "\"\\1\":\"\\2\"") . "}" 
| spath input=json_data 
| table Loc, Comp, User, Date

Here is a full working example:

| makeresults count=3 
| streamstats count 
| eval _raw=case(count=1, "Loc=Warehouse, Comp=WH-SOC01, User=username1, Date=2025-03-18",
    count=2, "Loc=Warehouse, Comp=WH-SOC02, User=username2, Date=2025-03-20",
    count=3, "Loc=Warehouse, Comp=WH-SOC03, User=username1, Date=2025-03-24") 
| fields _raw 
| eval json_data = "{" . replace(_raw, "(?<=,|^)([^=]+)=([^,]+)", "\"\\1\":\"\\2\"") . "}" 
| spath input=json_data 
| table Loc, Comp, User, Date

livehybrid_0-1742939880262.png

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Making some assumptions here (because as @PickleRick says, your sample data is confusing, and a raw sample in a code block would be a better way to present it), but have you tried using extract?

| rename CompLog as _raw
| extract
0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. You're pasting some ambiguous description of your data. Show us a sample of raw event(s). Anonymized if needed.

2. You don't have to escape the equals sign. It's in no way special in regex.

3. You should escape quotes though. Not because of regex but because the regex is passed as string within quotes.

4. As I said in p.1 it's not entirely clear what your data looks like but if the order of the fields is fixed (otherwise you need to extract each one separately), the  typical approach would be something like this:

| rex "Field1=\\s*(?<Field1>[^,]*),\\s*Field2=\\s*(?<Field2>[^,]*)"

and so on. Generally you anchor your regex with a fixed text (field name, comma) and capture everything in between. Notice double backslashes since it's a string argument. If you're sure you won't have spaces, you can drop that whitespace matching part.

And as always - you can test your regex at https://regex101.com/

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...