Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to parse a field to use later in a table

petersonjared
Explorer
‎01-30-2020 05:10 PM

Can someone please help me parse the field of FunctionArn for the account id value ( "65123456723" in the example) from the within a search that I can use to pass to a lookup to get the "friendly" account name of that account id?

....
FunctionArn: arn:aws:lambda:us-east-1:65123456723:function:blah-renew-this-today
....

thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎01-30-2020 07:23 PM

Hi

Check this

| makeresults 
| eval test="FunctionArn: arn:aws:lambda:us-east-1:65123456723:function:blah-renew-this-today" 
| eval temp=split(test,":") 
| eval accountid = mvindex(temp,5) 
| table accountid

or

| makeresults 
| eval test="FunctionArn: arn:aws:lambda:us-east-1:65123456723:function:blah-renew-this-today" 
| rex field=test "FunctionArn:\s+\S+\:(?P<accountid>[[:digit:]]+)\:"

View solution in original post

Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎01-30-2020 07:23 PM

Hi

Check this

| makeresults 
| eval test="FunctionArn: arn:aws:lambda:us-east-1:65123456723:function:blah-renew-this-today" 
| eval temp=split(test,":") 
| eval accountid = mvindex(temp,5) 
| table accountid

or

| makeresults 
| eval test="FunctionArn: arn:aws:lambda:us-east-1:65123456723:function:blah-renew-this-today" 
| rex field=test "FunctionArn:\s+\S+\:(?P<accountid>[[:digit:]]+)\:"
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-31-2020 01:07 AM

[[:digit:]], cool.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎01-31-2020 10:44 AM

Equivalent to \d or [0-9]

0 Karma
Reply
Solved! Jump to solution

petersonjared
Explorer
‎01-31-2020 08:08 AM

This is fanastic, thank you! I am glad to learn about makeresults.

Is there a way to have makeresult, or a different means, to have the "test" value able to run through the Splunk regex generation tool within extracting fields?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-31-2020 02:40 PM 
| makeresults 
| eval _raw="FunctionArn: arn:aws:lambda:us-east-1:65123456723:function:blah-renew-this-today" 
| rex "FunctionArn:\s+\S+\:(?P<accountid>\d+)\:" 
| appendpipe 
    [ eval accountid1=mvindex(split(_raw,":"),5) 
    | appendpipe 
        [ eval accountid2=replace(_raw,"^.*(\d{11}).*$","\1") 
        | appendpipe 
            [ rex "(?<accountid3>\d{11})"]]]

like that?

0 Karma
Reply
Solved! Jump to solution

petersonjared
Explorer
‎01-30-2020 05:12 PM

So basically, I am looking for help in filling in something like:
| rex field=FunctionArn .......................................

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...