Re: HOW TO GET FULL NAME USING REGEX FROM RAW DATA

hrs2019 · ‎11-13-2021

Hello
How i can get the full name from log ie. Name=Busaram Manjraj
i am trying with this regex |rex field=-_raw "(?<Name>[^&]+)\s*\d*"
but it is giving just Name=Busaram not the full name.

Splunk raw data looks like
Name=Busaram, Manjraj

PickleRick · ‎11-13-2021

Firstly, if you want the regex not to capture the "Name=" part, you should specify it explicitly before the capture group.

Name=(?<Name>[^&]+)\s*\d*

Secondly, for me, it works (if you give proper field name):

Thirdly, why the \d* at the end? You have more data you're not showing us?

hrs2019 · ‎11-13-2021

@PickleRick Thanks for your reply i have added the screenshot for my output please have a look and the log also.

PickleRick · ‎11-13-2021

I don't know what your "-_raw" field is supposed to mean. The field name (with an exception for splunk's internal field like _raw or _time) has to start on a letter. Drop the "field=" option completely (even with matching _raw, you shouldn't use it - the rex command matches to _raw by default and specifying it explicitly can have performance impact - at least that's what the docs say).

If you match your regex to whole event, you should... get all event up to any apersand ("&") signs.

ashvinpandey · ‎11-13-2021

@hrs2019 Can you please share the full raw log ?

hrs2019 · ‎11-13-2021

added.

bhargavi · ‎11-14-2021

Hi @hrs2019

Try this.

| rex "Name=(?P<Name>\w+\,\s\w+)"

HOW TO GET FULL NAME USING REGEX FROM RAW DATA

regex

rex

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann