Re: Pull multiple fields from one field in splunk

harryhcg · ‎05-16-2023

Example field value in "Field1"

Test1: Successful Test2: 200 Type: Http; Auth: ** URL: abc.com..... IP--Address: xx.xxx.xx.xx Name: xxxxx Path Location: /hdkdsd-/hkk/gdjshd Level: abc User: xxx Site: vjsdjsd

Below query not returning any value:

index=xxx

| rex field=Field1 "Test2\:\s+(?<A1>\d+)\s+"

| rex field=Field1 "URL\:\s+(?<A2>\w+)\s+"

| rex field=Field1 "User\:\s+(?<A3>\w+)\s+"

| table A1, A2, A3

gcusello · ‎05-16-2023

Hi @harryhcg,

please try this:

| rex field=Field1 "Test2:\s*(?<A1>\d+).*URL:\s*(?<A2>[^ ]*).*User:\s*(?<A3>[^ ]*)"

that you can test at https://regex101.com/r/kj44MB/1

if the events could change, you can put the three regex extractions in three different rex commands.

| rex field=Field1 "Test2:\s*(?<A1>\d+)
| rex field=Field1 "URL:\s*(?<A2>[^ ]*)
| rex field=Field1 "User:\s*(?<A3>[^ ]*)"

Ciao.

Giuseppe

How to pull multiple fields from one field in Splunk?

rex

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector