Splunk Search

How to use regex to extract the last value in a line from a known field of a data model?

Contributor

Hi guys,

How to extract one portion of the data model when I have the name of the field.
Sample: field: status, with the following values:

teste\teste1\teste2;teste\teste3\teste4;teste\teste5\teste6

How do I extract the last value in each line?

Thanks

0 Karma
1 Solution

Splunk Employee
Splunk Employee

By default, if you are using a data model and the pivot method of creating visualizations, regular expressions are not immediately available. You'll need to add a regular expression attribute to your data model.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Addaregularexpressionattribute

If you're looking for the third teste in each semicolon delimited group, your regex might look like

 "(?<last_of_three_teste>teste\d)(?:\;|$)"

Else if you're just looking for the very last value, it might look like

 "(?<last_teste>teste\d$)"

If you have the ability, you might want to just extract field at search time.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX

^ Please make sure you choose your version of Splunk when viewing the docs.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

By default, if you are using a data model and the pivot method of creating visualizations, regular expressions are not immediately available. You'll need to add a regular expression attribute to your data model.

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Addaregularexpressionattribute

If you're looking for the third teste in each semicolon delimited group, your regex might look like

 "(?<last_of_three_teste>teste\d)(?:\;|$)"

Else if you're just looking for the very last value, it might look like

 "(?<last_teste>teste\d$)"

If you have the ability, you might want to just extract field at search time.
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX

^ Please make sure you choose your version of Splunk when viewing the docs.

View solution in original post

0 Karma

Contributor

Thanks. I'll test and return for you.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!