Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction from Regex

tmarlette
Motivator
‎05-08-2012 01:21 PM

So I am relatively new to extracting fields in Splunk, but I have some knowledge of regex, and I'm attempting to apply it in Splunk.

I have a pattern I am attempting to extract and put into a field. The pattern looks like this: 

USER@TEST

I am using this expression to match the pattern:

(\w+@\w+)

I would like to extract this into a field called "user_domain", and I'm having some difficulty renaming (\w+@\w+) as "user_domain".

PS... this forum doesn't show forward slashes, however they are there. 😃

Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-08-2012 02:09 PM

What ways did you try? You could make use of the rex command, like this:

... | rex "(?<user_domain>\w+@\w+)"

Or you could make this kind of extraction permanent by using the interactive field extractor (http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample ).

View solution in original post

Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎05-08-2012 03:08 PM

By curiosity, are you trying to extract apache logs or IIS logs ?

Existing sourcetypes provide automatic extraction :

Reply
Solved! Jump to solution

tmarlette
Motivator
‎11-29-2012 07:08 AM

It does happen automagically, but you can make any sourcetype extract the same fields with the transform. start taking a look at props.conf, and transforms.conf for general iis field extractions.

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎05-08-2012 03:11 PM

Negative yannK, These are proprietary log messages that I'm attempting to scrub.

But to make sure I understand you correctly, because we do have apache and iis logs here as well, if I name my sourcetype "access_combined" and send my iss / apache logs there, Splunk will extract a set of fields auto-magically?

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎05-08-2012 03:44 PM

yes, some sourcetypes are defined and provide automatic field extractions. look for : syslog, access_combined and apache_errors ...

see http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/Listofpretrainedsourcetypes

0 Karma
Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-08-2012 02:09 PM

What ways did you try? You could make use of the rex command, like this:

... | rex "(?<user_domain>\w+@\w+)"

Or you could make this kind of extraction permanent by using the interactive field extractor (http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample ).

Reply
Solved! Jump to solution

tmarlette
Motivator
‎05-08-2012 03:04 PM

Actually... I didn't try that at all.

<--- Shamed

| rex "(?\w+@\w+)"
that worked splendidly, thank you!

I did try the interactive extractor though, but it won't extract everything I needed it to.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...