Splunk Search

Extracting names from fields

Rgk_Trail
Explorer

Hi, 

I am trying to extract name of the individuals from the field that I have in the data. For example from the data below, I want to extract Jack Smith and Joe Shmoe. 

Any suggestions on how I can do this ? 

Some Text
Some Text
24-Jul-2020 10:52:41 - Jack Smith (Approval history)
Jack Smith approved INT128302 for group **CAB - DEV Tech
Some Text
Some Text
22-Jul-2020 12:56:37 - Joe Shmoe (Approval history)
Joe Shmoe approved INT128302 for group **Dev - DBA Tech group
Some Text
Some Text

 

Thanks ! 

Rohan 

Labels (2)
Tags (2)
0 Karma
1 Solution

s2_splunk
Splunk Employee
Splunk Employee

Try this: 

|inputlookup change_task_xx| rex field=approval "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"|table change_request name group

 

View solution in original post

Rgk_Trail
Explorer

Would this work if names(Jack Smith) and groups(**CAB - DEV Tech) change ? 

Actually, I was not very clear in my initial question. So I want to extract name of the person and the group from that field. 

So format will remain the same but names and groups will change. Any idea if I can extract based on matching string and then extract text based on spaces in between ? cause format will remain the same in my data.

Thanks ,

Rohan

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Are these all separate events or does every event start with a timestamp but can be multi-line?

Does the group name always start with **?

Does every line with name and group always have "approved" and "for group" in?

0 Karma

Rgk_Trail
Explorer

Are these all separate events or does every event start with a timestamp but can be multi-line?

Every event starts with timestamp, and its multi-line. for every event name and group is buried between some other information that is not relevant for the task.

 

Does the group name always start with **?

Ya. Always 

 

Does every line with name and group always have "approved" and "for group" in?

Yes. Always. It may have "rejected" as well but I want to extract only one with "approved"

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

-- your search

| rex "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"

0 Karma

Rgk_Trail
Explorer

I am trying this command but it doesnt return any results, am i using it wrong ? 

 

|inputlookup change_task_xx| rex "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"|table change_request name group

Output that I am getting: 

change_requests           name          group

1                                         

2

3

 

name and group information exists in the field(approval) in the lookup . 

 

- Rohan K.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Does your table include the multi-line events as single events or have they been split across multiple events?

0 Karma

Rgk_Trail
Explorer

attached data from lookup. 

its multiline as single event. Its tied to unique field (change_request) in dataset. So goal is to extract change_request and name, group from approval for that change request.

 

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

Try this: 

|inputlookup change_task_xx| rex field=approval "\n(?<name>.+)\sapproved\s.+for\sgroup\s(?<group>.+)\n"|table change_request name group

 

Rgk_Trail
Explorer

Thanks a lot ! 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
--- your search
| rex "-\s+(?<name>[^\(]+)"
| eval name=trim(name)
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...