Splunk Search

How to pull multiple fields from one field in Splunk?

harryhcg
Explorer

Example field value in "Field1"

Test1: Successful Test2: 200 Type: Http; Auth: ** URL: abc.com..... IP--Address: xx.xxx.xx.xx Name: xxxxx Path Location: /hdkdsd-/hkk/gdjshd Level: abc User:  xxx Site: vjsdjsd

 

Below query not returning any value:

index=xxx

|  rex field=Field1 "Test2\:\s+(?<A1>\d+)\s+"

|  rex field=Field1 "URL\:\s+(?<A2>\w+)\s+"

|  rex field=Field1 "User\:\s+(?<A3>\w+)\s+"

| table A1, A2, A3

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @harryhcg,

please try this:

| rex field=Field1 "Test2:\s*(?<A1>\d+).*URL:\s*(?<A2>[^ ]*).*User:\s*(?<A3>[^ ]*)"

that you can test at https://regex101.com/r/kj44MB/1

if the events could change, you can put the three regex extractions in three different rex commands.

| rex field=Field1 "Test2:\s*(?<A1>\d+)
| rex field=Field1 "URL:\s*(?<A2>[^ ]*)
| rex field=Field1 "User:\s*(?<A3>[^ ]*)"

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...