Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use regex to reformat a field?

ronbuzon
New Member
‎08-14-2018 08:25 AM

Need assistance regex to reformat the field

the field is Message. And the output is

"Reason: Details: Attributes: folderPathname folder ManagerDisplayName david foster OwnerEmail user@useremail"

when developing the regex to select anything after "Attributes:" i was able to create this rex

(?i)Attributes: (?.+)

It works in regex101.com and displays this field

the SPLUNK query that I wrote is:

(base search)||rex field=Message "Attributes: (?.+)

But the message field still shows the entire message value.

Any assistance will help

Tags (2)
0 Karma
Reply

niketn
Legend
‎08-21-2018 08:25 AM

@ronbuzon , I think @493669 has already given you updated query... you need to provide a name for the capturing group, which is your case is Message. You should try the following:

<yourExistingSearch>
| rex field=Message "Attributes: (?<Message>.+)"

You can test the same on regex101 as well https://regex101.com/r/SZzS59/1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

horsefez
Motivator
‎08-21-2018 07:33 AM

Hi @ronbuzon,

if you are trying to extract the following data out of the given string, then try something like this.

Your sample data:
Reason: Details: Attributes: folderPathname folder ManagerDisplayName david foster OwnerEmail user@useremail

What you want to extract:
folderPathname folder ManagerDisplayName david foster OwnerEmail user@useremail

How you can do that:
| rex field=Message "Attributes:\s*(?.+)"

Please give me feedback, if that solves your problem.

0 Karma
Reply

ronbuzon
New Member
‎08-21-2018 07:46 AM

Hi @pyro_wood
thanks for responding and giving your input.

i tried your solution and got this error:

Error in 'rex' command: Encountered the following error while compiling the regex 'Attributes:\s*(?.+)': Regex: unrecognized character after (? or (?-

0 Karma
Reply

horsefez
Motivator
‎08-23-2018 12:09 PM

Hi @ronbuzon,

sorry for the late reply.

Let me fix that solution:

| rex field=Message "Attributes:\s*(?<Attributes>.+)"

0 Karma
Reply

sudosplunk
Motivator
‎08-15-2018 12:36 PM

Hi there, are you trying to trim values of Message field after indexing and create a new field new_field with these trimmed values? Or are you trying to trim the values of Message field before indexing?

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎08-14-2018 04:07 PM

regex101 reports a pattern error on:

(?i)Attributes: (?.+)

If you wanted to capture the part after attributes then it would be:

(?i)Attributes: (?P<fieldname>.+)

If you wanted to regex match then it would be | rexgex :

(?i)Attributes: (.+)
-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

ronbuzon
New Member
‎08-15-2018 11:36 AM

Gjanders,

Thank you for the recommendation and the feedback.

I used the regex command you have provided. however, the field from the search results still provide the entire value of the field. It seems like the rex command does not work.

(base search)||rex field=Message " (?i)Attributes: (?P.+)"

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎08-15-2018 02:59 PM

If your goal was to create a new field then:

 (base search)|rex field=Message " (?i)Attributes: (?P<new_field>.+)"

You could potentially override the Message field at search time, where I'm assuming message is a valid field name:

 (base search)|rex field=Message " (?i)Attributes: (?P<Message>.+)"

If you wanted to do this at index time it's completely different, or if your trying to extract the field with the name message from the event itself:

 (base search)|rex " (?i)Attributes: (?P<Message>.+)"
-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

493669
Super Champion
‎08-14-2018 08:32 AM

are you trying this :

   ... |rex field=Message "Attributes: (?<Message>.+)"
0 Karma
Reply

ronbuzon
New Member
‎08-14-2018 08:35 AM

Got this error-
Error in 'rex' command: Encountered the following error while compiling the regex 'Attributes: (?.+)': Regex: unrecognized character after (? or (?-

0 Karma
Reply

493669
Super Champion
‎08-14-2018 08:37 AM

updated the query ...special characters was missed

0 Karma
Reply
Get Updates on the Splunk Community!

Transforming Financial Data into Fraud Intelligence

Every day, banks and financial companies handle millions of transactions, logins, and customer interactions ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...
Top