Solved: How to split a field into two different fields usi...

pavanae · ‎05-12-2023

I have a field as follows in the logs

user="userAbc1 (host1234)"

As you can see both the username and hostname fields are together in the user field. Now how do I apply regex and separate both the fields into 2 corresponding fields as follows

user=userAbc1

host=host1234

gcusello · ‎05-12-2023

Hi @pavanae.

please try this:

| rex field=user "^(?<user>.*)\s+\((?<host>[^\)]*)\)"

Ciao.

Giuseppe

View solution in original post

richgalloway · ‎05-12-2023

Try this rex command.

| rex field=foo "(?<user>\S+)\s\((?<host>=[^\(]+)"

---
If this reply helps you, Karma would be appreciated.

gcusello · ‎05-12-2023

Hi @pavanae.

please try this:

| rex field=user "^(?<user>.*)\s+\((?<host>[^\)]*)\)"

Ciao.

Giuseppe

gcusello · ‎05-12-2023

Hi @pavanae ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

How to split a field into two different fields using eval in Splunk?

eval

field extraction

fields

regex

rex

See just what you’ve been missing | Observability tracks at Splunk University

Weezer at .conf25? Say it ain’t so!

How SC4S Makes Suricata Logs Ingestion Simple

Are you a member of the Splunk Community?

How to split a field into two different fields using eval in Splunk?