Splunk Search

Field extractions

Communicator

Hi there.

I've managed to work out some regex to grab the data I want when using regex101 but I'm having trouble porting it into Splunk because Splunk also needs the correct intormation in the right place to name that extracted field I believe.

The data I've got looks like this:

summary project x

parts 1 a part

person1 4

person2

invoice

And the regex that gets the values after the keys is:
(?<=#summary)\s(.?)[\r\n]
or
(?<=#parts)\s(.
?)[\r\n]
or
(?<=#invoice)\s[0-9]*

The first two will have carriage returns at the end and that last one won't hence the different approach for that one.

I don't know where or what to add to get Splunk to call the first field Summary for example or Parts for the second as you can see.

I realise it's going to be something like in there somewhere but can't work out where.

Thanks.

0 Karma