Splunk Search

How to edit my regular expression to extract a field value?

email2vamsi
Explorer

I have the following field value in field script_field.
Test script /name/name/check.sh ran
VM Script - xi2v

I want this field to have the value till ran word.
Test script /name/name/check.sh ran should be retained in script_field field. Anything after ran word should be discarded.
The regex should be generic, as the value after ran word keeps on changing.

I am trying to achieve this using the below.
| rex mode=sed field=script_field "s/(ran)//g"

0 Karma
1 Solution

msivill_splunk
Splunk Employee
Splunk Employee

Try this

rex field=script_field "(?<new_field>.*ran)"

Full working example

| makeresults | eval script_field = "Test script /name/name/check.sh ran VM Script - xi2v" | rex field=script_field "(?<new_field>.*ran)"

Or

| makeresults | eval script_field = "Test script /name/name/check.sh ran VM Script - xi2v" | rex field=script_field "(?<script_field>.*ran)"

To over write the existing field

View solution in original post

0 Karma

msivill_splunk
Splunk Employee
Splunk Employee

Try this

rex field=script_field "(?<new_field>.*ran)"

Full working example

| makeresults | eval script_field = "Test script /name/name/check.sh ran VM Script - xi2v" | rex field=script_field "(?<new_field>.*ran)"

Or

| makeresults | eval script_field = "Test script /name/name/check.sh ran VM Script - xi2v" | rex field=script_field "(?<script_field>.*ran)"

To over write the existing field

0 Karma

email2vamsi
Explorer

Thank you.
But this is not working for real time search or dashboards.
Works fine for normal searches and dashboards.

0 Karma

email2vamsi
Explorer

I realized that i should not enter it in Source editor.
I should enter it in search string.
Works for real time as well.

0 Karma

lakromani
Builder

You does not post what the problem is, but let me guess this solves it.
https://answers.splunk.com/answers/756/how-can-i-include-greater-less-than-signs-in-a-search-in-my-a...

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...