Splunk Search

Field extraction

alonKri
Explorer

Hi Splunk team, I would like to receive your dedicated help. 

I have a string field, the field's structure is name_timestamp

The name contains underscores between words, after the name, there is another underscore. Finally, there is a full date. for example: this_is_an_example_09_13_2021.

My goal is to extract the name from this field. for this example, I would like to receive this_is_an_example. 

Is it possible?

Thanks in advance! 😊

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Since you are not extracting the time (or at least that wasn't the requirement), you will probably find that the current anchor pattern will suffice - if you do need to extend it add _\d{2}_\d{2}

View solution in original post

alonKri
Explorer

@ITWhisperer @isoutamo 

First of all, Thank you both!

I forgot that in addition to the full date, this field contains the hour and minutes. for example, 

 this_is_an_example_09_13_2021_03_45.

How should I change the rex command? 

Thanks!

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Since you are not extracting the time (or at least that wasn't the requirement), you will probably find that the current anchor pattern will suffice - if you do need to extend it add _\d{2}_\d{2}

alonKri
Explorer

Thanks so much! It's working 😊

@ITWhisperer 

0 Karma

alonKri
Explorer

Where should I put it?

for example, this is the received output.

Note: The name may contain numbers. 

alonKri_0-1631523466792.png

 

Thanks much!

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

"(?<test>.*)" basically match everything on this field. When we are adding "_\d{4}_\d{2}_\d{2}_\d{2}_\d{2}$" we are requiring that at the end of this string there are _ + 4 digits + _ + 2 digits ... etc. and everything before that is put on test field. So based on your string just add those _\d{4} and _\d{2} to correct places. And if those days, hours, minutes and seconds can be only in one (1) digit long then use _\d{1,2} to catch also those.

So based on your screenshot you should use e.g.

rex field=test max_match=0 "(?<test>.*)_\d{4}_\d{2}_\d{2}_\d{2}_\d{2}$" 

If you are using name test on field and in capture group then you are replacing the content of this field with file name instead of creating a new field for file_name. So if you need the original file name later on then it's better to use something else than test as a capture group name.

r. Ismo

isoutamo
SplunkTrust
SplunkTrust

Hi

yes it is. You could try this

....
| rex field=name_timestamp max_match=0 "(?<file_name>.*)_\d{1,2}_\d{1,2}_\d{2,4}$"

r. Ismo 

ITWhisperer
SplunkTrust
SplunkTrust
| rex "(?<words>[a-zA-Z_]+)_\d{2}_\d{2}_\d{4}"
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...