Solved: How to apply regex to lookup table field? - Splunk Community

Splunk Search

Hello All,

I have a lookup file with multiple fields. I am reading it using inputlookup command and implementing some filters. Now I need to apply regex on a field and extract the corresponding matched string from each row of the lookup into a separate field.

The regex is: xxx[\_\w]+:([a-z_]+)

Thus, I need your guidance and inputs to build the same.

Thank you

Taruchit

1 Solution

Solution

| rex field=fieldA "xxx[\_\w]+:(?<res>[a-z_]+)"

View solution in original post

You need to specify a field that you wish the extracted pattern to be put in - for example:

xxx[\_\w]+:(?<fieldname>[a-z_]+)

Hello @ITWhisperer,

Thank you for your response.

Can you please help with example of how to write the code?

|inputlookup myTable.csv
|where _time=relative_time(now(),"-1d@d")

Now I need to apply the regular expression on fieldA and store the extracted data from each row in field: res.

It would be very helpful if you could help.

Thank you

Solution

| rex field=fieldA "xxx[\_\w]+:(?<res>[a-z_]+)"

Thank you @ITWhisperer for your prompt help.

Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious! We’re back with a Special ...