Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to extract fields values including keywords

Mr_Adate
Explorer
‎02-20-2023 12:42 AM

I have three fields like "

field1=SGSIFASFFWR035A

field2=AXAZCBDM02

fields3=ESESDFAADFSABBM00002

in above examples I want to extract field values like these;

field1=FWR035A (any character after FW* including FW)

field2=BDM02 (any character after BDM* including BDM)

fields3=BBM00002 (any character after BBM* including BBM )

additionally, I want to  to use single  command to extract all three field values in one go.

like "FW*|BDM"|BBM*"

 

I am using below rex command to extract it but it is not including FW keyword in extracted field

| rex field= field1 "FW(?<AFTERTHISKEYWORD>\S+)"

 

if you can provide a workable solution either using rex and eval or another code, it would be appreciated.

 

Thanks in advance..

 

Labels (3)
Labels
0 Karma
Reply

Mr_Adate
Explorer
‎02-20-2023 01:26 AM

I have uploaded .csv file 

FirewallInterfaceDescription
SGSIFASFFWR035Aport8xafdy
AXAZCBDM02port15.2wawfesvcds 
ESESDFAADFSABBM00002port11asdfasdf

 

I want to extract field values from Firewall field name

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-20-2023 01:54 AM

Hi @Mr_Adate,

have you in your props.conf the "INDEXED_EXTRACTIONS = csv" option ?

If yes, you should already have the data separated as fields.

Tiy can find many video that describe how to do it, e.g. https://www.youtube.com/watch?v=3kx0OGKy_XU

Ciao.

Giuseppe

0 Karma
Reply

Mr_Adate
Explorer
‎02-20-2023 02:20 AM

Thanks for your reply.. 

 

I have uploaded file as lookup not props.conf.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-20-2023 12:59 AM

rex can't be used to operate on more than one field at a time. However, you could operate on _raw, but in order to help you, you would need to share some examples of your raw events (not just the fields you have already extracted).

0 Karma
Reply

Mr_Adate
Explorer
‎02-20-2023 01:28 AM

I don't have _raw filed as I am uploading file from csv format 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-20-2023 12:50 AM

Hi @Mr_Adate,

could you share some sample of your logs to test the regex?

then, if you already have fields1, field2 and field3 and you want to take all the content, including prefix, whay do you need a regex?

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...