Solved: How to apply regex to lookup table field? - Splunk Community

Splunk Search

Hello All,

I have a lookup file with multiple fields. I am reading it using inputlookup command and implementing some filters. Now I need to apply regex on a field and extract the corresponding matched string from each row of the lookup into a separate field.

The regex is: xxx[\_\w]+:([a-z_]+)

Thus, I need your guidance and inputs to build the same.

Thank you

Taruchit

1 Solution

Solution

| rex field=fieldA "xxx[\_\w]+:(?<res>[a-z_]+)"

View solution in original post

You need to specify a field that you wish the extracted pattern to be put in - for example:

xxx[\_\w]+:(?<fieldname>[a-z_]+)

Hello @ITWhisperer,

Thank you for your response.

Can you please help with example of how to write the code?

|inputlookup myTable.csv
|where _time=relative_time(now(),"-1d@d")

Now I need to apply the regular expression on fieldA and store the extracted data from each row in field: res.

It would be very helpful if you could help.

Thank you

Solution

| rex field=fieldA "xxx[\_\w]+:(?<res>[a-z_]+)"

Thank you @ITWhisperer for your prompt help.

Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...