Re: How to extract multiple values from output to ...

najaplit · ‎04-08-2021

Hello,

I have a search query that produces a value similar to below. What i am trying to accomplish is to extract the "Data", "Time", and "Notes" section and to output those values to a table with each in a separate column. What would be an efficient way to accomplish this? I am seeing some regex syntax fines but not as familiar with it. Any help is appreciated. Thanks!

----------------------------------------

Value:

CompName: XXX XXX Type: XXX EmpName: XXX Date: XX-XX-XXXX Time 9:00AM Notes: XXXX

ITWhisperer · ‎04-08-2021

I modified your example show it working for PM times and included a colon after Time to make it consistent, but this is an example of how you might approach it

| makeresults 
| eval _raw="CompName: XXX XXX Type: XXX EmpName: XXX Date: 23-03-2021 Time: 9:00PM Notes: WXYZ"
| rex "Date:\s(?<date>[^\s]+)\sTime:\s(?<time>[^\s]+)\sNotes:\s(?<notes>.*)"
| eval _time=strptime(date." ".time,"%d-%m-%Y %I:%M%p")

How to extract multiple values from output to create new column in table with associated values

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Introducing .conf Stories Series!

Are you a member of the Splunk Community?

How to extract multiple values from output to create new column in table with associated values

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Introducing .conf Stories Series!