Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction from Regex

tmarlette
Motivator
‎05-08-2012 01:21 PM

So I am relatively new to extracting fields in Splunk, but I have some knowledge of regex, and I'm attempting to apply it in Splunk.

I have a pattern I am attempting to extract and put into a field. The pattern looks like this: 

USER@TEST

I am using this expression to match the pattern:

(\w+@\w+)

I would like to extract this into a field called "user_domain", and I'm having some difficulty renaming (\w+@\w+) as "user_domain".

PS... this forum doesn't show forward slashes, however they are there. 😃

Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-08-2012 02:09 PM

What ways did you try? You could make use of the rex command, like this:

... | rex "(?<user_domain>\w+@\w+)"

Or you could make this kind of extraction permanent by using the interactive field extractor (http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample ).

View solution in original post

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎05-08-2012 03:08 PM

By curiosity, are you trying to extract apache logs or IIS logs ?

Existing sourcetypes provide automatic extraction :

Reply
Solved! Jump to solution

tmarlette
Motivator
‎11-29-2012 07:08 AM

It does happen automagically, but you can make any sourcetype extract the same fields with the transform. start taking a look at props.conf, and transforms.conf for general iis field extractions.

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎05-08-2012 03:11 PM

Negative yannK, These are proprietary log messages that I'm attempting to scrub.

But to make sure I understand you correctly, because we do have apache and iis logs here as well, if I name my sourcetype "access_combined" and send my iss / apache logs there, Splunk will extract a set of fields auto-magically?

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎05-08-2012 03:44 PM

yes, some sourcetypes are defined and provide automatic field extractions. look for : syslog, access_combined and apache_errors ...

see http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/Listofpretrainedsourcetypes

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-08-2012 02:09 PM

What ways did you try? You could make use of the rex command, like this:

... | rex "(?<user_domain>\w+@\w+)"

Or you could make this kind of extraction permanent by using the interactive field extractor (http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample ).

Reply
Solved! Jump to solution

tmarlette
Motivator
‎05-08-2012 03:04 PM

Actually... I didn't try that at all.

<--- Shamed

| rex "(?\w+@\w+)"
that worked splendidly, thank you!

I did try the interactive extractor though, but it won't extract everything I needed it to.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...