Re: How to rex field in unstructured flat file eve...

jhantuSplunk · ‎05-26-2020

I am breaking every line in flat file and trying to fetch the field using rex, this is how my events looks like:

98000020200512 -992.00 0.00 001 01
98000020200523 830566.00 0.00 001 02
98000020200515 -7356.00 0.00 001 03
98000020200516 -18760.00 0.00 001 04
98000020200518 764074.00 0.00 001 05
98000020200530 165432.00 0.00 001 06
98000020200531 98715.00 0.00 001 07
98000020200511 119993.00 0.00 001 08
98000020200502 908831.00 0.00 001 09
12000020200507 -5481.00 0.00 001 10

The bold digits need to be extracted as Amount field, where the values could be a negative or positive amount.

to4kawa · ‎05-27-2020

props.conf

TIME_PREFIX = \d{6}
TIME_FORMAT = %Y%m%d
SHOULD_LINEMERGE = false
EXTRACT-unst = ^\d+\s+(?<Amount>[^ ]+)\s+(?<fieldA>[^ ]+)\s+(?<fieldB>[^ ]+)\s+(?<fieldC>[^ ]+)

vnravikumar · ‎05-26-2020

Hi

Try this

| makeresults 
| eval temp="98000020200512 -992.00 0.00 001 01,
98000020200523 830566.00 0.00 001 02,
98000020200515 -7356.00 0.00 001 03,
98000020200516 -18760.00 0.00 001 04,
98000020200518 764074.00 0.00 001 05,
98000020200530 165432.00 0.00 001 06,
98000020200531 98715.00 0.00 001 07,
98000020200511 119993.00 0.00 001 08,
98000020200502 908831.00 0.00 001 09,
12000020200507 -5481.00 0.00 001 10" 
| makemv delim="," temp 
| mvexpand temp 
| eval result= mvindex(split(temp," "),1) 
| table result

gcusello · ‎05-26-2020

Hi @jhantuSplunk,
try this regex

^\d+\s+(?<Amount>[^ ]+)

that you can test at https://regex101.com/r/F24fG0/1

Ciao.
Giuseppe

How to rex field in unstructured flat file events

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...