Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract field value after special characters from delimiter string

ramuzzini
Path Finder
‎03-25-2025 10:36 AM

Need help cleaning up my rex command line with data delineated by (,) then extracting the value after the (=) character from fields: Location=, Computer=, User=, Date=

Sample index data:
        Index = computerlogs
        Field name: CompLog

Field values: 
        Loc=Warehouse, Comp=WH-SOC01, User= username1, Date=2025-03-18
        Loc=Warehouse, Comp=WH-SOC02, User= username2, Date=2025-03-20
        Loc=Warehouse, Comp=WH-SOC03, User= username1, Date=2025-03-24

Created a dashboard showing all logins with only computer name, user and date as below

Working query 

       index= computerlogs
       | rex field=CompLog"([^,]+,){1}(?<LogComp>[^,]+)"
       | rex field=LogComp "\=(?<Computer>[^,]+)"
       | rex field=CompLog"([^,]+,){2}(?<LogUser>[^,]+)"
       | rex field=LogUser"\=(?<User>[^,]+)"
       | rex field=CompLog"([^,]+,){3}(?<LogDate>[^,]+)"
       | rex field=LogDate "\=(?<Date>[^,]+)"
       | table Computer User Date

       Computer          User                  Date
       WH-SOC01       username1    2025-03-18
       WH-SOC02       username2    2025-03-20
       WH-SOC03       username1    2025-03-24

My ask is to clean up the above rex commands, so I only have one rex command line for each data field I am trying to capture if it is possible.  I tried to combine the two rex command lines into one.  I know I need to add the "\=" argument to get everything after the "=" character but get an error with my below try's.

      | rex field=CompLog"([^,]+,){1}\=(?<Computer>[^,]+)"
      | rex field=CompLog"([^,]+,){1}"\=(?<Computer>"[^,]+)"
      | rex field=CompLog"([^,]+,){1}"\=(?<Computer>[^",]+)"

Any help would be greatly appreciated.  Thanks.

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-25-2025 02:58 PM

Hi @ramuzzini 

How about this for a different approach? 

| eval json_data = "{" . replace(_raw, "(?<=,|^)([^=]+)=([^,]+)", "\"\\1\":\"\\2\"") . "}" 
| spath input=json_data 
| table Loc, Comp, User, Date

Here is a full working example:

| makeresults count=3 
| streamstats count 
| eval _raw=case(count=1, "Loc=Warehouse, Comp=WH-SOC01, User=username1, Date=2025-03-18",
    count=2, "Loc=Warehouse, Comp=WH-SOC02, User=username2, Date=2025-03-20",
    count=3, "Loc=Warehouse, Comp=WH-SOC03, User=username1, Date=2025-03-24") 
| fields _raw 
| eval json_data = "{" . replace(_raw, "(?<=,|^)([^=]+)=([^,]+)", "\"\\1\":\"\\2\"") . "}" 
| spath input=json_data 
| table Loc, Comp, User, Date

livehybrid_0-1742939880262.png

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-25-2025 12:08 PM

Making some assumptions here (because as @PickleRick says, your sample data is confusing, and a raw sample in a code block would be a better way to present it), but have you tried using extract?

| rename CompLog as _raw
| extract
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-25-2025 11:50 AM

1. You're pasting some ambiguous description of your data. Show us a sample of raw event(s). Anonymized if needed.

2. You don't have to escape the equals sign. It's in no way special in regex.

3. You should escape quotes though. Not because of regex but because the regex is passed as string within quotes.

4. As I said in p.1 it's not entirely clear what your data looks like but if the order of the fields is fixed (otherwise you need to extract each one separately), the  typical approach would be something like this:

| rex "Field1=\\s*(?<Field1>[^,]*),\\s*Field2=\\s*(?<Field2>[^,]*)"

and so on. Generally you anchor your regex with a fixed text (field name, comma) and capture everything in between. Notice double backslashes since it's a string argument. If you're sure you won't have spaces, you can drop that whitespace matching part.

And as always - you can test your regex at https://regex101.com/

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...