Splunk Search

How to build a regular expression that will split a field on the first underscore?

mstark31
Path Finder

I need to use regex to split a field into two parts, delimited by an underscore.

The vast majority of the time, my field (a date/time ID) looks like this, where AB or ABC is a 2 or 3 character identifier.

11232016-0056_ABC 
11232016-0056_AB

I use the following rex command to extract, and it works great.

| rex field=originalField "(?<subField1>.*)\_(?<subField2>.*)" 

For example:

originalField = 11232016-0056_ABC
subField1 = 11232016-0056
subField2 = ABC

However, I have a few special cases where originalField = 11232016-0056_ABC_M, where M could be anything alphanumeric following an additional underscore.

When I use the above rex command, I get the following result:

originalField = 11232016-0056_ABC_M
subField1 = 11232016-0056_ABC
subField2 = M

I want to see the following:

originalField = 11232016-0056_ABC_M
subField1 = 11232016-0056 
subField2 =  ABC_M

Basically, I need it to split at the first underscore and ignore all subsequent underscores.

1 Solution

sundareshr
Legend

Try this

.... | rex field=originalField "(?<subField1>[^_]+)_(?<subField2>.+)"

View solution in original post

gdziuba
Explorer

This should get you going.

.... | rex field=originalField "(?<subField1>[^_]+)_(?<subField2>.*)"

Use this if you want to keep the underscore at the end of the line in the case that the character is other than an underscore.

 .... | rex field=originalField "(?<subField1>.*?_)(?<subField2>.*)"

sshelly_splunk
Splunk Employee
Splunk Employee
(?P<field1>\S+)_(?P<field2>\w+)
0 Karma

sshelly_splunk
Splunk Employee
Splunk Employee

sorry -too fast on the draw. I didnt see the additional info around possible 2nd "_"'s occurring.
gdziuba's answer works perfectly (or so I think:))

0 Karma

mstark31
Path Finder

This still splits on the 2nd underscore.

0 Karma

sundareshr
Legend

Try this

.... | rex field=originalField "(?<subField1>[^_]+)_(?<subField2>.+)"

mstark31
Path Finder

This works! Thanks!

0 Karma

mstark31
Path Finder

Hello Past mstark31. Current mstark31 thanks you for asking this question 3 years ago.

0 Karma

mstark31
Path Finder
| rex field=specimenId "(?<subField1>[^_]+)_(?<subField2>.*)"

Changed + to * to account for cases where _ABC may not exist.

Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...