Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract fields values including keywords

Mr_Adate
Explorer
‎02-20-2023 12:42 AM

I have three fields like "

field1=SGSIFASFFWR035A

field2=AXAZCBDM02

fields3=ESESDFAADFSABBM00002

in above examples I want to extract field values like these;

field1=FWR035A (any character after FW* including FW)

field2=BDM02 (any character after BDM* including BDM)

fields3=BBM00002 (any character after BBM* including BBM )

additionally, I want to  to use single  command to extract all three field values in one go.

like "FW*|BDM"|BBM*"

 

I am using below rex command to extract it but it is not including FW keyword in extracted field

| rex field= field1 "FW(?<AFTERTHISKEYWORD>\S+)"

 

if you can provide a workable solution either using rex and eval or another code, it would be appreciated.

 

Thanks in advance..

 

Labels (3)
Labels
0 Karma
Reply

Mr_Adate
Explorer
‎02-20-2023 01:26 AM

I have uploaded .csv file 

FirewallInterfaceDescription
SGSIFASFFWR035Aport8xafdy
AXAZCBDM02port15.2wawfesvcds 
ESESDFAADFSABBM00002port11asdfasdf

 

I want to extract field values from Firewall field name

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-20-2023 01:54 AM

Hi @Mr_Adate,

have you in your props.conf the "INDEXED_EXTRACTIONS = csv" option ?

If yes, you should already have the data separated as fields.

Tiy can find many video that describe how to do it, e.g. https://www.youtube.com/watch?v=3kx0OGKy_XU

Ciao.

Giuseppe

0 Karma
Reply

Mr_Adate
Explorer
‎02-20-2023 02:20 AM

Thanks for your reply.. 

 

I have uploaded file as lookup not props.conf.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-20-2023 12:59 AM

rex can't be used to operate on more than one field at a time. However, you could operate on _raw, but in order to help you, you would need to share some examples of your raw events (not just the fields you have already extracted).

0 Karma
Reply

Mr_Adate
Explorer
‎02-20-2023 01:28 AM

I don't have _raw filed as I am uploading file from csv format 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-20-2023 12:50 AM

Hi @Mr_Adate,

could you share some sample of your logs to test the regex?

then, if you already have fields1, field2 and field3 and you want to take all the content, including prefix, whay do you need a regex?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...