Splunk Search

How to extract a field using rex that may or may not be present?

Naren26
Path Finder

Consider I am having two string - "YY02State" and "Y02State"

In the above strings, I have to extract the fields like:
Y - IsStateLegal
Y - IsStateSafe
02 - StateId
State - NameOfState

There might be instances when the IsStateSafe field is not available in the log entry, like it is in the second string "Y02State". How can I write rex for this? Please note the other fields will always be available.

I tried the following rex, but of no luck.

(?<IsStateLegal>\w{1})(?<IsStateSafe>\w*.{1})(?<StateId>d{2})(?<NameOfState>\w*)

Please suggest a solution for this.

Tags (2)
0 Karma

mayurr98
Super Champion

hey @Naren26,

Try this run anywhere search

| makeresults 
| eval raw="YY02State Y02State N32State YN02State" 
| makemv raw 
| mvexpand raw 
| rex field=raw "(?<IsStateLegal>[A-Za-z])(?<IsStateSafe>[^\d]*)(?<StateId>\d{2})(?<NameOfState>\S+)"

In your environment, you should write

| rex field=_raw "(?<IsStateLegal>[A-Za-z])(?<IsStateSafe>[^\d]*)(?<StateId>\d{2})(?<NameOfState>\S+)"

let me know if this helps!

0 Karma

493669
Super Champion

Try this run anywhere search:

 |makeresults|eval _raw="Y02State"|rex "(?<IsStateLegal>\w{1})(?<IsStateSafe>\w)?(?<StateId>\d{2})(?<NameOfState>\w+)"
0 Karma

cpetterborg
SplunkTrust
SplunkTrust
|makeresults|eval _raw="Y02State"|rex "(?<IsStateLegal>\w{1})(?<IsStateSafe>\w)?(?<StateId>\d{2})(?<NameOfState>\w+)"

This will result in half the number of steps required to match. The greedy * makes it work twice as much in this case.

493669
Super Champion

thanks @cpetterborg. So with ? instead of * will improve performance in this case..updated the answer.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...