Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a field between two patterns in a search for further stats processing?

atanasmitev
Path Finder
‎10-21-2014 09:52 PM

I have a _raw field with the following data in:

..............    "Stuff\":\"CAPITALS_AND_UNDERSCORES\",      ...........

The way I see it, I need to extract everything between "Stuff\":\" and ", patterns.

Can you help me extract the CAPITALS_AND... info from this line to a field, so that I further perform "stats" searches ?.
Splunk build is 6.0.1 if it matters.

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎10-22-2014 12:27 AM

Hi atanasmitev,

try something like this:

your base search here | rex "Stuff\\\"\:\\\"(?<myField>\w+)" | ...

This will get you a new field called myField and matches any word character (alphanumeric & underscore). If there are other characters then the provided example, simply adapt the regex.

small update: and if this fits your needs, add it as automatic field extraction - to do this follow the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Knowledge/Addfieldsatsearchtime

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
Legend
‎10-22-2014 12:27 AM

Hi atanasmitev,

try something like this:

your base search here | rex "Stuff\\\"\:\\\"(?<myField>\w+)" | ...

This will get you a new field called myField and matches any word character (alphanumeric & underscore). If there are other characters then the provided example, simply adapt the regex.

small update: and if this fits your needs, add it as automatic field extraction - to do this follow the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Knowledge/Addfieldsatsearchtime

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

atanasmitev
Path Finder
‎10-22-2014 07:25 AM

Works thanks 🙂 Finally . All I needed was to add another search option before the regexp, like so

my base search "Stuff" | rex field=thefield_to_rex "Stuff\\\"\:\\\"(?<myField>\w+)" | ...

It seems like the entire field to regexp followed the same "ID" : "Info" notation, so instead of extract all it did was print 🙂
The rex works like a charm, yet my search was wrong 😄

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...