Splunk Search
Highlighted

Field extractions

Communicator

Hi there.

I've managed to work out some regex to grab the data I want when using regex101 but I'm having trouble porting it into Splunk because Splunk also needs the correct intormation in the right place to name that extracted field I believe.

The data I've got looks like this:

summary project x

parts 1 a part

person1 4

person2

invoice

And the regex that gets the values after the keys is:
(?<=#summary)\s(.?)[\r\n]
or
(?<=#parts)\s(.
?)[\r\n]
or
(?<=#invoice)\s[0-9]*

The first two will have carriage returns at the end and that last one won't hence the different approach for that one.

I don't know where or what to add to get Splunk to call the first field Summary for example or Parts for the second as you can see.

I realise it's going to be something like in there somewhere but can't work out where.

Thanks.

0 Karma
Highlighted

Re: Field extractions

Champion

Hi

Can you please let us know the fieldname that you want to extract and also the expected output with sample.

0 Karma
Highlighted

Re: Field extractions

Communicator

So per above for the summary for example.
The raw data is:

"#summary project x"

I would like to end up with a field named Summary and a value of project x
In regex101 (?<=#summary)\s(.?)[\r\n] retrieves the value "project x"

0 Karma
Highlighted

Re: Field extractions

Champion

Hi

Check this

| makeresults 
| eval _raw="#summary project x" 
| rex field=_raw "(?<=#summary)\s(?P<Summary>(.?)+)"
0 Karma
Highlighted

Re: Field extractions

Communicator

Thanks for this. This a a search time extraction though isn't it. How can I apply this logic and get the same results with an index time extraction?

0 Karma
Highlighted

Re: Field extractions

Communicator

Trid this too but doesn 't work: _raw "(?<=#summary)\s(?P(.?)+)"

0 Karma
Highlighted

Re: Field extractions

Communicator

Actually, also. I'm trying to find the field after the work summary so it might not be project x but anything after the string of #summary and up to the carriage return at the end of the line.

0 Karma
Highlighted

Re: Field extractions

Ultra Champion
| makeresults 
| eval sample="#summary project x
#parts 1 a part
#person1 4
#person2
#invoice"
| makemv delim="
" sample
| mvexpand sample
| rex field=sample "#(?<field_name>[^\s]+)( (?<value>.+))?"
| fillnull value value="N/A"
| eval value="\"".value."\""
| eval raw=mvzip(field_name,value,"=")
| stats count by raw
| rename raw as _raw
| kv

I put N/A where there is no value.

0 Karma
Highlighted

Re: Field extractions

Communicator

That is a cool search and extraction thanks to4kawa. I'll definitely be able to use something like that in my project. As mentioned though I do want to extract these fields when the data comes in so I've got them ready to work with within my app. So I want to be able to go into field extractions and create the extraction in there. What I can't find documentation on is changing the regex that extracts the data into splunk regex that extracts it and then applies it to a field name. Like doing this bit but in the fields extraction creation section of the splunk gui - #(?[^\s]+)( (?.+))? - that obviously assigns the value to the field_name.

0 Karma
Highlighted

Re: Field extractions

Ultra Champion
0 Karma