Solved: Field Extraction of particular data from user defi...

jlattus · ‎09-15-2011

I'm trying to pull a certain type of data from a field but that field can change into different types of data depending on the log. I only want to keep the particular data and ignore the rest.

An example would be a field called "username". I don't care when username=root but when username="any other user" I want to grab that data only. Is there a way to do this? I appreciate any feedback.

bbingham · ‎09-15-2011

during search time you can use the command "rex" to extract a piece of another field. rex uses regex on top of any data to create new fields (or replace).

|rex field=username "(?<username2>\w+)"

This builds a new field username2 with any username. So same type of concept, since you can use regex, do conditional lookahead matching:

|rex field=username "(?<username2>(?!root)\w+)"

This should match the field only if root is not matched.

Hope that helps.

View solution in original post

bbingham · ‎09-15-2011

during search time you can use the command "rex" to extract a piece of another field. rex uses regex on top of any data to create new fields (or replace).

|rex field=username "(?<username2>\w+)"

This builds a new field username2 with any username. So same type of concept, since you can use regex, do conditional lookahead matching:

|rex field=username "(?<username2>(?!root)\w+)"

This should match the field only if root is not matched.

Hope that helps.

jlattus · ‎09-16-2011

Awesome thanks!

Field Extraction of particular data from user defined field

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms