Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract fields with a regular expression
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract fields with a regular expression
I have fields in the format of LOG_ID, DEVICE_DATA, USERNAME, that I'd like to extract, and I'd like to exclude the default Splunk fields like _time, *_raw, and timeendpos, timestartpos, etc. Is that possible to do through the regex command? Can I chain that with table somehow?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you have "key=value" pairs, Splunk should be extracting them as a field by the name of "key" and the corresponding value "value".
You should be able to limit your searches by simply adding a the field = value as part of your search terms. (Example: "LOG_ID=12312")
If you are interested in displaying only certain fields in a table format, then piping into a table command and listing the fields you want is enough.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The data in the fields can contain anything, so I don't think I can do filtering based on that. An example would be LOG_ID=12312 DEVICE_DATA="random stuff" USERNAME="DAVIDTEST"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you update the quesiton with a specific example of the line you're extracting this data from? What data is in the "LOG_ID", "DEVICE_DATA", and "USERNAME" fields (numbers only, spaces, etc)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, the regex command is used for filtering search results based on a regular expression. The rex command is used for extracting fields out of events though. Including/excluding fields is done using the fields command.
Based on your question it sounds like you should take a tour of how Splunk works. Field extractions are covered here: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime
And there's an excellent Splunk tutorial: http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
