How to pull multiple fields from one field in Splu... - Splunk Community

Splunk Search

Example field value in "Field1"

Test1: Successful Test2: 200 Type: Http; Auth: ** URL: abc.com..... IP--Address: xx.xxx.xx.xx Name: xxxxx Path Location: /hdkdsd-/hkk/gdjshd Level: abc User: xxx Site: vjsdjsd

Below query not returning any value:

index=xxx

| rex field=Field1 "Test2\:\s+(?<A1>\d+)\s+"

| rex field=Field1 "URL\:\s+(?<A2>\w+)\s+"

| rex field=Field1 "User\:\s+(?<A3>\w+)\s+"

| table A1, A2, A3

please try this:

| rex field=Field1 "Test2:\s*(?<A1>\d+).*URL:\s*(?<A2>[^ ]*).*User:\s*(?<A3>[^ ]*)"

that you can test at https://regex101.com/r/kj44MB/1

if the events could change, you can put the three regex extractions in three different rex commands.

| rex field=Field1 "Test2:\s*(?<A1>\d+)
| rex field=Field1 "URL:\s*(?<A2>[^ ]*)
| rex field=Field1 "User:\s*(?<A3>[^ ]*)"

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...