Splunk Search

Extracting names from fields

Rgk_Trail
Explorer

Hi, 

I am trying to extract name of the individuals from the field that I have in the data. For example from the data below, I want to extract Jack Smith and Joe Shmoe. 

Any suggestions on how I can do this ? 

Some Text
Some Text
24-Jul-2020 10:52:41 - Jack Smith (Approval history)
Jack Smith approved INT128302 for group **CAB - DEV Tech
Some Text
Some Text
22-Jul-2020 12:56:37 - Joe Shmoe (Approval history)
Joe Shmoe approved INT128302 for group **Dev - DBA Tech group
Some Text
Some Text

 

Thanks ! 

Rohan 

Labels (2)
Tags (2)
0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

Try this: 

|inputlookup change_task_xx| rex field=approval "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"|table change_request name group

 

View solution in original post

Rgk_Trail
Explorer

Would this work if names(Jack Smith) and groups(**CAB - DEV Tech) change ? 

Actually, I was not very clear in my initial question. So I want to extract name of the person and the group from that field. 

So format will remain the same but names and groups will change. Any idea if I can extract based on matching string and then extract text based on spaces in between ? cause format will remain the same in my data.

Thanks ,

Rohan

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Are these all separate events or does every event start with a timestamp but can be multi-line?

Does the group name always start with **?

Does every line with name and group always have "approved" and "for group" in?

0 Karma

Rgk_Trail
Explorer

Are these all separate events or does every event start with a timestamp but can be multi-line?

Every event starts with timestamp, and its multi-line. for every event name and group is buried between some other information that is not relevant for the task.

 

Does the group name always start with **?

Ya. Always 

 

Does every line with name and group always have "approved" and "for group" in?

Yes. Always. It may have "rejected" as well but I want to extract only one with "approved"

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

-- your search

| rex "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"

0 Karma

Rgk_Trail
Explorer

I am trying this command but it doesnt return any results, am i using it wrong ? 

 

|inputlookup change_task_xx| rex "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"|table change_request name group

Output that I am getting: 

change_requests           name          group

1                                         

2

3

 

name and group information exists in the field(approval) in the lookup . 

 

- Rohan K.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does your table include the multi-line events as single events or have they been split across multiple events?

0 Karma

Rgk_Trail
Explorer

attached data from lookup. 

its multiline as single event. Its tied to unique field (change_request) in dataset. So goal is to extract change_request and name, group from approval for that change request.

 

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Try this: 

|inputlookup change_task_xx| rex field=approval "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"|table change_request name group

 

Rgk_Trail
Explorer

Thanks a lot ! 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
--- your search
| rex "-\s+(?<name>[^\(]+)"
| eval name=trim(name)
0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...