Splunk Search

How to write a rex to extract values in a field that are delimited by comma?

zacksoft_wf
Contributor

I want to write a rex to extract values in a field that are delimited by comma.

index=group sourcetype="ext:user_accounts"
| rex field=Ldap_group "[,\s]+(?<Ldap_group>[^,]+)"
| stats values(Ldap_group) AS Ldap_group by elid, full_name



The regex I wrote only gave me few values, not all of it. I wanted all values in Ldap_group  to be written separately in different rows .

Requesting assistnce

Field name:
Ldap_group

values: 
 MSV_EM_IMPKliAy_Standard_App,MSV_EM_IM_Federated,MSV_AAD_WkfKBarrier_Enabled,ADTestVrpVen5_23,V-IDaaS_ServiAeNKw_VKKd_Users,DTAA_ADT_AZAD_LIA_SKU_KffiAe365_Teams,MSV_EM_IM_PKKl02_Users,DTAA_EAK_HiplWkkSuppKrt_QA
SPLVRP001-16,PRV_EAK_AS_SRV_HiplWkkSuppKrt_QA,ADTestVrpVen5_23
Wave_WkterAede MyID DesktKp DSK,AppliAatiKnSuppKrtEnVWkeer,KPS-VanBeurionEESSP-KF-3,VAAT-WARP ManaVementMKdule,DTAA_JPT_ITMP_SN_SVAKPS_IP_MAJKR_WkA_MANAVER,AharlKtteDiversityTeam-3,V-KPS-TEAHNKLKVY TMS SP-AN-4,DEM_WalkMe WalkMe ExtensiKn,EES1225AIBBldV31,DTAV_EAK_EAAK(),DTAA_APD_ATK_EANF_PRKD_users,DTAA_VP_EUA_HAPA_FR_PermDisable,ENT-TeAhnKlKVy-All-4,Wave_SimKn Tatham Putty x86,ETIFTE-1,DTAA_EIT_AAV_IdaaS_JPTLearner,DTAA_AFV_ITE_TEAH_PIBI_Users,APP_HitaAhi Vantara HAP Anywhere 4.5.0.4,Tera-Partners-24,APP_KraAle Java JDK 8uXXX -X86-,MSV_EM_IM_Federated,DTAA_EIT_EAAA_EAS_IDaaS_lKVWk,SP-PermissiKns-TimSlKanKrV-32,DTAA_EIT_TRIAV_Users,DP-TeAhnKlKVyVanBeurion-4,DTAA_NSK_IAS-SNVA_Default,MSV_EM_IM_VrKupAhat,AXAlients-32,V-SP_TEAH_FTE-3,APP_M365 KffiAe - MKnthly Enterprise Ahannel,V-AIA TEAM MEMBERS-2,DTAA_KRA_PRPX_BusKwnerEdit,DTAA_EIT_WWARP_View_AAAess,DTAA_AAK_ARS2S_JP_AKntraAt_ExAeptiKn,APP_SimKn Tatham PuTTY -X86-,V-KTV-TeAhnKlKVy-4,V-TIS-EPS-All-1,DTAA_AKK_TRIMS_VrKup_RelatiKnship_ManaVer_JPT,iPhKneUsers_VKKd_BYKD,APP_REALTEK USB VBE DRIVER 23.50.0211.2022,DTAA_AKK_TRIMS_VrKup_EnVaVement_ManaVer_JPT,DTAA_EIT_PMT_BPAN_IDaaS_ReadKnly,DKE-SP-TeAh_FTE-3,DTAA_AFV_EAPT_User,DTAS_NSK_IAS_ValidatiKnKnly1,NKtReVulatedUsersTKJKurnal-40,DTAA_AFV_EAPT_User_AKnfiiontial,MSVWk_AD_DEV_iKS_BYKD,DTAA_AFV_1WkV_AAAESS,APP_SynaptiAs DisplayLWkk VraphiAs 23.3.6400.0,ExAhanVeTeAhALT_AIA_FTE,DTAA_EIT_PSVHT_IdaaS_JPTLearner,Wave_MiArKsKft .NETDesktKpRuntime x64,PMSV-eaAKAKn-SendAs,DTAA_AFV_ADMF_TMDL_Kwner,DTAA_JPT_ITMP_SN_ITIL_USER_TEAHNKLKVY,DTAA_ADT_AZAD_LIA_SKU_KffiAe365_Teams,DTAA_TIV_Tab_ADMF_MAD_Wkt,1AAAAllUsers-31,MSV_AAD_WkfKBarrier_Enabled,DTAA_TIV_Tab_EAAK_EPPIA_Wkt,APP_WaaS_JP_Wksiders,Wave_ZKKm VideK AKmmuniAatiKns,AharlKtteDireAtKry-5,WAV_PRD_NP_1_TM_KX_Primary,MSVWk_ADT_AZAD_LIA_SKU_KffiAe365_Wktune,SredMyAppsMKbile,DTAA_TIV_Tab_ADMF_TMDL_Wkt,DTAA_AHS_PKrtal_IE_HKME,MSVTP_AallWkV_Private,PMSV-EAAKMessaVWkV-SendAs,DTAA_NSK_Wkternal_SKAial_AllKwed_Users,WkteVratedMarketWkVAllExAeptTellers-30,DTAA_AFV_MIM_TMIM_BUSWkESS_UNIT_KPERATKR,MSVTP_MessaVWkV_AhatKn,V-ETI TEAHNKLKVY FTE-3,Wave_VKKVle AhrKme,DTAA_VP_EUA_HAPA_FR_RemKval,DTAA_EIT_TRIAV_RepKrts,PMSV-eaAKAKn,SP_ALM_Read_AAAess_FWk_TeAh_DL-4,PriKrity_RemKte_AAAess_EAAK_Tier1,EITAll-4,APP_ZKKm ZKKm,MSVTP_MeetWkV_App_Aud_Vid_ExtAKnf,saEionTAKnneAt,Wave_AisAK Jabber,Wave_WkterAede MyID WWkdKws WkteVratiKn ServiAe,DTAA_ENT_HAPA_PKD0033,IMAKrpKrateAll-29,JP-TeAhnKlKVy-All-FTE-3,MSV_EM_IM_PKKl05_Users,V-SIFFERMAN FTE,EES1225AIBBldV3,MSV_EM_IMPKliAy_Standard_App_Aud_Vid_ReA_DialWk_ExtAKnf,DTAA_APD_ATK_EJRA_BSD_PRKD_JSW_users,LeVal_TeAhnKlKVy-4,Wave_KraAle Java JDK 8U x86,DEM_MiArKsKft EdVe WebView2 Runtime,DTAA_TKV_Pixel_Users,MSVTP_MeetWkV_App_Aud_Vid,VADI-RKKtTeamsPrKxyExAeptiKn,PilKt_MKbile_Users_Teams,DTAA_TIV_Tab_ADMF_DMI_BMD_Wkt,DTAA_WkD_1DIM_USER,SP-TS-All-32,AMTRADS-AllSaul-4,PMSV-EAAKMessaVWkV,Wave_WkterAede MyID Self-ServiAe App,RMSShare-45,DTAA_AFV_EAPT_VlKbalRead,APP_WktradK 911 LKAatiKn ManaVer 1.7.1,DTAA_TIV_Tab_EDQ_WkT

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft_wf,

add the option max_match=0 to the rex command.

index=something sourcetype="something"
| rex max_match=0 field=Ldap_group "(?<Ad_group>[^,\n]+)"
| stats values(Ldap_group) AS Ldap_group BY elid, full_name

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft_wf,

please try this regex

| rex field=Ldap_group "(?<group>[^,\n]+)"

that you can test at https://regex101.com/r/jVBcx4/1

Ciao.

Giuseppe

0 Karma

zacksoft_wf
Contributor

I tried it but it still shows the same  😞

index=something sourcetype="something"
| rex field=Ldap_group "(?<Ad_group>[^,\n]+)"
| stats values(Ldap_group) AS Ldap_group by elid, full_name

It showed only three values from the Ldap_group field, But if you see the field it has a lot of values delimeted by comma.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @zacksoft_wf,

add the option max_match=0 to the rex command.

index=something sourcetype="something"
| rex max_match=0 field=Ldap_group "(?<Ad_group>[^,\n]+)"
| stats values(Ldap_group) AS Ldap_group BY elid, full_name

Ciao.

Giuseppe

zacksoft_wf
Contributor

Thank you so much @gcusello 

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...