Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract fields values including keywords

Mr_Adate
Explorer
‎02-20-2023 12:42 AM

I have three fields like "

field1=SGSIFASFFWR035A

field2=AXAZCBDM02

fields3=ESESDFAADFSABBM00002

in above examples I want to extract field values like these;

field1=FWR035A (any character after FW* including FW)

field2=BDM02 (any character after BDM* including BDM)

fields3=BBM00002 (any character after BBM* including BBM )

additionally, I want to  to use single  command to extract all three field values in one go.

like "FW*|BDM"|BBM*"

 

I am using below rex command to extract it but it is not including FW keyword in extracted field

| rex field= field1 "FW(?<AFTERTHISKEYWORD>\S+)"

 

if you can provide a workable solution either using rex and eval or another code, it would be appreciated.

 

Thanks in advance..

 

Labels (3)
Labels
0 Karma
Reply

Mr_Adate
Explorer
‎02-20-2023 01:26 AM

I have uploaded .csv file 

FirewallInterfaceDescription
SGSIFASFFWR035Aport8xafdy
AXAZCBDM02port15.2wawfesvcds 
ESESDFAADFSABBM00002port11asdfasdf

 

I want to extract field values from Firewall field name

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-20-2023 01:54 AM

Hi @Mr_Adate,

have you in your props.conf the "INDEXED_EXTRACTIONS = csv" option ?

If yes, you should already have the data separated as fields.

Tiy can find many video that describe how to do it, e.g. https://www.youtube.com/watch?v=3kx0OGKy_XU

Ciao.

Giuseppe

0 Karma
Reply

Mr_Adate
Explorer
‎02-20-2023 02:20 AM

Thanks for your reply.. 

 

I have uploaded file as lookup not props.conf.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-20-2023 12:59 AM

rex can't be used to operate on more than one field at a time. However, you could operate on _raw, but in order to help you, you would need to share some examples of your raw events (not just the fields you have already extracted).

0 Karma
Reply

Mr_Adate
Explorer
‎02-20-2023 01:28 AM

I don't have _raw filed as I am uploading file from csv format 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-20-2023 12:50 AM

Hi @Mr_Adate,

could you share some sample of your logs to test the regex?

then, if you already have fields1, field2 and field3 and you want to take all the content, including prefix, whay do you need a regex?

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top