Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you use rex to extract a specific field in Splunk?

braicu
New Member
‎03-22-2019 08:36 AM

Hello,

Can anybody help me extracting from this table with 3 regular expression:

I got a column in Splunk like this and the values between

Custom_Tag (this is the column name which i need to be split into 3 columns Account,AssetOwner,AssetDataStored)
"Key": "Account", "Value": "037395386785"
"Key": "AssetOwner", "Value": "Infrastructure"
"Key": "AssetDataStored", "Value": "InternalUseOnly"
"Key": "Account", "Value": "343254354354"
"Key": "AssetOwner", "Value": "Production"
"Key": "AssetDataStored", "Value": "ExternalUse"

and i need a rex to extract the values into 3 columns when matching the word Account,AssetOwner,AssedDataStored

Tag_Account Tag_AssetOwner Tag_AssetDataStored
037395386785 Infrastructure InternalUseOnly
343254354354 Production ExternalUse

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎03-22-2019 08:55 AM

Something like this should work:

| rex field=Custom_Tag "\"Account\",\s+\"Value\":\s+\"(?<Tag_Account>[^\"]+)"
| rex field=Custom_Tag "\"AssetOwner\",\s+\"Value\":\s+\"(?<Tag_AssetOwner>[^\"]+)"
| rex field=Custom_Tag "\"AssetDataStored\",\s+\"Value\":\s+\"(?<Tag_AssetDataStored>[^\"]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎03-22-2019 11:19 AM

Hi

Give a try

| makeresults 
| eval Custom_Tag ="\"Key\": \"Account\", \"Value\": \"037395386785\"" 
| append 
    [| makeresults 
    | eval Custom_Tag ="\"Key\": \"AssetOwner\", \"Value\": \"Infrastructure\""] 
| append 
    [| makeresults 
    | eval Custom_Tag ="\"Key\": \"AssetDataStored\", \"Value\": \"InternalUseOnly\""] 
| append 
    [| makeresults 
    | eval Custom_Tag ="\"Key\": \"Account\", \"Value\": \"343254354354\""] 
| append 
    [| makeresults 
    | eval Custom_Tag ="\"Key\": \"AssetOwner\", \"Value\": \"Production\""] 
| append 
    [| makeresults 
    | eval Custom_Tag ="\"Key\": \"AssetDataStored\", \"Value\": \"ExternalUse\""] 
| eval temp = replace(Custom_Tag , "\"|:|Key|Value","") 
| makemv delim="," temp 
| eval column1 = ltrim(mvindex(temp,0)) 
| eval column2=ltrim(mvindex(temp,1)) 
| eval{column1}=column2 
| stats list(Account) as Tag_Account,list(AssetDataStored) as Tag_AssetDataStored,list(AssetOwner) as Tag_AssetOwner
0 Karma
Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎03-22-2019 08:55 AM

Something like this should work:

| rex field=Custom_Tag "\"Account\",\s+\"Value\":\s+\"(?<Tag_Account>[^\"]+)"
| rex field=Custom_Tag "\"AssetOwner\",\s+\"Value\":\s+\"(?<Tag_AssetOwner>[^\"]+)"
| rex field=Custom_Tag "\"AssetDataStored\",\s+\"Value\":\s+\"(?<Tag_AssetDataStored>[^\"]+)"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...