Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Get Pattern or punct at search time for one specific field

AnilPujar
Path Finder
‎02-10-2022 04:36 AM

Does Splunk have any spl command like punct?

The default punct field will get patterns on the _raw field.

Is there any command where I can use to get the similar pattern on the custom field instead of _raw?

Example:

description="User: ABC Project: XYZ Company Name: JKLM Short Description: Project is so and so"
description="User: ABC Company Name: JKLM Project: XYZ Employee Level: 7 Short Description: Project is so and so User Designation: Splunk Consultant"

description="User: ABC Project: Jkl Company Name: JKLM Short Description: Project: Automation"
so on..


I cannot use extract command, because sub fields which i want to extract is not in order and key as 2/3/4/5 words.

the only key value delim I can see is colon : and also some times user might feed : in certain sub fields.

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-10-2022 05:16 AM

Your issue is not to do with punctuation, it is more to do with using the field names within the field text, e.g. Project:

If you know the field names you want to extract, you could do something like this

| makeresults 
| eval _raw="description=\"User: ABC Project: XYZ Company Name: JKLM Short Description: Project is so and so\"
description=\"User: ABC Company Name: JKLM Project: XYZ Employee Level: 7 Short Description: Project is so and so User Designation: Splunk Consultant\"
description=\"User: ABC Project: Jkl Company Name: JKLM Short Description: Project: Automation\""
| multikv noheader=t
| fields _raw
| fields - _time
| eval raw=_raw
| rex mode=sed field=raw "s/User: /_User_: /g"
| rex mode=sed field=raw "s/Project: /_Project_: /g"
| rex mode=sed field=raw "s/Company Name: /_Company Name_: /g"
| rex mode=sed field=raw "s/Employee Level: /_Employee Level_: /g"
| rex mode=sed field=raw "s/Short Description: /_Short Description_: /g"
| rex mode=sed field=raw "s/User Designation: /_User Designation_: /g"
| rex mode=sed field=raw "s/_(?<first>[^_]+)_: _(?<second>[^_]+)_/_\\1_: \\2/g"
| rex max_match=0 field=raw "_(?<namevalue>[^_]+_: [^_]+)"
| mvexpand namevalue
| rex field=namevalue "(?<name>[^_]+)_: (?<value>[^\"]*)"
| eval {name}=trim(value)
| fields - name namevalue value raw
| stats values(*) as * by _raw

Note that where Project: was used at the beginning of the field, this was corrected by assuming every field had something in and that if a known field name was at the start of the field, it could be reverted back to just text and not a field name to extract. Also, there is an assumption the underscores aren't used in the text. If they are, then use something else (that isn't in the text) as a delimiter for the field names.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...