Splunk Search

How to use regex in calculated fields?

bitnapper
Path Finder

Hi, I've been told, that using field extractions on json is not best practis and that I should use calculated fields instead. In some cases thats easy and I can use replace or other methods to do that but in some it is more difficult. 

I have some events giving me information about software versions. When I try to extract the version string from as follows, I get the results for events containing this string. In all other cases I get the complete string instead. What I need is the matching string or nothing. I couldn't figure out how to do that.

replace(message, "^My Software Version (\S+).*", "\1") 

 

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Using replace will replace the string if a match is found. If no match is found, it will not replace aything.

You can using "if" statement 

if(match(message, "^My Software Version (\S+).*"), replace(message, "^My Software Version (\S+).*", "\1"), "")

The last "" means that the assigned field will be an empty string, but if you want that field not to exist for that event, then use null() instead

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

Using replace will replace the string if a match is found. If no match is found, it will not replace aything.

You can using "if" statement 

if(match(message, "^My Software Version (\S+).*"), replace(message, "^My Software Version (\S+).*", "\1"), "")

The last "" means that the assigned field will be an empty string, but if you want that field not to exist for that event, then use null() instead

bitnapper
Path Finder

Thanks, thats works.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bitnapper,

I'd use the rex command in sed mode to do this (https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Rex)

something like this:

| rex field=message mode=sed "s/^My Software Version (\S+).*/NA/g"

I'm not sure about the condition, could you share some sample of both data types with the exact substitution you whould have?

Ciao.

Giuseppe

0 Karma

bitnapper
Path Finder

Hi @gcusello,

thanks for your reply. I tested the regex with the | rex command. It not that I can't extract the data. I just can't extract it with the calculated field extraction. As far as I understand, everything that works with | eval would work in calculated fields. Thats why I do it with replace in cases where I know that I have a match in every event.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...