Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to parse a field to use later in a table

petersonjared
Explorer
‎01-30-2020 05:10 PM

Can someone please help me parse the field of FunctionArn for the account id value ( "65123456723" in the example) from the within a search that I can use to pass to a lookup to get the "friendly" account name of that account id?

....
FunctionArn: arn:aws:lambda:us-east-1:65123456723:function:blah-renew-this-today
....

thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎01-30-2020 07:23 PM

Hi

Check this

| makeresults 
| eval test="FunctionArn: arn:aws:lambda:us-east-1:65123456723:function:blah-renew-this-today" 
| eval temp=split(test,":") 
| eval accountid = mvindex(temp,5) 
| table accountid

or

| makeresults 
| eval test="FunctionArn: arn:aws:lambda:us-east-1:65123456723:function:blah-renew-this-today" 
| rex field=test "FunctionArn:\s+\S+\:(?P<accountid>[[:digit:]]+)\:"

View solution in original post

Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎01-30-2020 07:23 PM

Hi

Check this

| makeresults 
| eval test="FunctionArn: arn:aws:lambda:us-east-1:65123456723:function:blah-renew-this-today" 
| eval temp=split(test,":") 
| eval accountid = mvindex(temp,5) 
| table accountid

or

| makeresults 
| eval test="FunctionArn: arn:aws:lambda:us-east-1:65123456723:function:blah-renew-this-today" 
| rex field=test "FunctionArn:\s+\S+\:(?P<accountid>[[:digit:]]+)\:"
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-31-2020 01:07 AM

[[:digit:]], cool.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎01-31-2020 10:44 AM

Equivalent to \d or [0-9]

0 Karma
Reply
Solved! Jump to solution

petersonjared
Explorer
‎01-31-2020 08:08 AM

This is fanastic, thank you! I am glad to learn about makeresults.

Is there a way to have makeresult, or a different means, to have the "test" value able to run through the Splunk regex generation tool within extracting fields?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-31-2020 02:40 PM 
| makeresults 
| eval _raw="FunctionArn: arn:aws:lambda:us-east-1:65123456723:function:blah-renew-this-today" 
| rex "FunctionArn:\s+\S+\:(?P<accountid>\d+)\:" 
| appendpipe 
    [ eval accountid1=mvindex(split(_raw,":"),5) 
    | appendpipe 
        [ eval accountid2=replace(_raw,"^.*(\d{11}).*$","\1") 
        | appendpipe 
            [ rex "(?<accountid3>\d{11})"]]]

like that?

0 Karma
Reply
Solved! Jump to solution

petersonjared
Explorer
‎01-30-2020 05:12 PM

So basically, I am looking for help in filling in something like:
| rex field=FunctionArn .......................................

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top