Solved: How to split a field into two different fields usi...

pavanae · ‎05-12-2023

I have a field as follows in the logs

user="userAbc1 (host1234)"

As you can see both the username and hostname fields are together in the user field. Now how do I apply regex and separate both the fields into 2 corresponding fields as follows

user=userAbc1

host=host1234

gcusello · ‎05-12-2023

Hi @pavanae.

please try this:

| rex field=user "^(?<user>.*)\s+\((?<host>[^\)]*)\)"

Ciao.

Giuseppe

View solution in original post

richgalloway · ‎05-12-2023

Try this rex command.

| rex field=foo "(?<user>\S+)\s\((?<host>=[^\(]+)"

---
If this reply helps you, Karma would be appreciated.

gcusello · ‎05-12-2023

Hi @pavanae.

please try this:

| rex field=user "^(?<user>.*)\s+\((?<host>[^\)]*)\)"

Ciao.

Giuseppe

gcusello · ‎05-12-2023

Hi @pavanae ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

How to split a field into two different fields using eval in Splunk?

eval

field extraction

fields

regex

rex

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

How to split a field into two different fields using eval in Splunk?

Can’t make it to .conf25? Join us online!