Re: How to extract a field using rex that may or m...

Naren26 · ‎02-06-2018

Consider I am having two string - "YY02State" and "Y02State"

In the above strings, I have to extract the fields like:
Y - IsStateLegal
Y - IsStateSafe
02 - StateId
State - NameOfState

There might be instances when the IsStateSafe field is not available in the log entry, like it is in the second string "Y02State". How can I write rex for this? Please note the other fields will always be available.

I tried the following rex, but of no luck.

(?<IsStateLegal>\w{1})(?<IsStateSafe>\w*.{1})(?<StateId>d{2})(?<NameOfState>\w*)

Please suggest a solution for this.

mayurr98 · ‎02-06-2018

hey @Naren26,

Try this run anywhere search

| makeresults 
| eval raw="YY02State Y02State N32State YN02State" 
| makemv raw 
| mvexpand raw 
| rex field=raw "(?<IsStateLegal>[A-Za-z])(?<IsStateSafe>[^\d]*)(?<StateId>\d{2})(?<NameOfState>\S+)"

In your environment, you should write

| rex field=_raw "(?<IsStateLegal>[A-Za-z])(?<IsStateSafe>[^\d]*)(?<StateId>\d{2})(?<NameOfState>\S+)"

let me know if this helps!

493669 · ‎02-06-2018

Try this run anywhere search:

 |makeresults|eval _raw="Y02State"|rex "(?<IsStateLegal>\w{1})(?<IsStateSafe>\w)?(?<StateId>\d{2})(?<NameOfState>\w+)"

cpetterborg · ‎02-07-2018

|makeresults|eval _raw="Y02State"|rex "(?<IsStateLegal>\w{1})(?<IsStateSafe>\w)?(?<StateId>\d{2})(?<NameOfState>\w+)"

This will result in half the number of steps required to match. The greedy * makes it work twice as much in this case.

493669 · ‎02-07-2018

thanks @cpetterborg. So with ? instead of * will improve performance in this case..updated the answer.

How to extract a field using rex that may or may not be present?

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform