Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction from Regex

tmarlette
Motivator
‎05-08-2012 01:21 PM

So I am relatively new to extracting fields in Splunk, but I have some knowledge of regex, and I'm attempting to apply it in Splunk.

I have a pattern I am attempting to extract and put into a field. The pattern looks like this: 

USER@TEST

I am using this expression to match the pattern:

(\w+@\w+)

I would like to extract this into a field called "user_domain", and I'm having some difficulty renaming (\w+@\w+) as "user_domain".

PS... this forum doesn't show forward slashes, however they are there. 😃

Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-08-2012 02:09 PM

What ways did you try? You could make use of the rex command, like this:

... | rex "(?<user_domain>\w+@\w+)"

Or you could make this kind of extraction permanent by using the interactive field extractor (http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample ).

View solution in original post

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎05-08-2012 03:08 PM

By curiosity, are you trying to extract apache logs or IIS logs ?

Existing sourcetypes provide automatic extraction :

Reply
Solved! Jump to solution

tmarlette
Motivator
‎11-29-2012 07:08 AM

It does happen automagically, but you can make any sourcetype extract the same fields with the transform. start taking a look at props.conf, and transforms.conf for general iis field extractions.

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎05-08-2012 03:11 PM

Negative yannK, These are proprietary log messages that I'm attempting to scrub.

But to make sure I understand you correctly, because we do have apache and iis logs here as well, if I name my sourcetype "access_combined" and send my iss / apache logs there, Splunk will extract a set of fields auto-magically?

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎05-08-2012 03:44 PM

yes, some sourcetypes are defined and provide automatic field extractions. look for : syslog, access_combined and apache_errors ...

see http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/Listofpretrainedsourcetypes

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-08-2012 02:09 PM

What ways did you try? You could make use of the rex command, like this:

... | rex "(?<user_domain>\w+@\w+)"

Or you could make this kind of extraction permanent by using the interactive field extractor (http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample ).

Reply
Solved! Jump to solution

tmarlette
Motivator
‎05-08-2012 03:04 PM

Actually... I didn't try that at all.

<--- Shamed

| rex "(?\w+@\w+)"
that worked splendidly, thank you!

I did try the interactive extractor though, but it won't extract everything I needed it to.

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...