Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to write the regex to extract multiple values into a single field?

visa87
Explorer
‎01-28-2015 09:35 AM

I have a log file containing information logged in the below format:

Response Received from ABC service for Submit
The following response has been received from XYZ for Submit

and so on.

I am interested in the values ABC , XYZ etc . SO I want to extract these values to a single field say Field1.

How can I do this?

Tags (2)
0 Karma
Reply

chanfoli
Builder
‎01-28-2015 11:06 AM

The approach I think is cleanest (at least to my eyes) is to write these as separate extractions then merge them in your search. This trick is borrowed from lguinn's excellent answer to a related question here 

 yoursearchhere |
eval output = field1 + ";" + field2 |
makemv delim=";" output |
mvexpand output

Just make sure that your fields won't contain semicolons, if so, pick a different delim.

Reply

aholzer
Motivator
‎01-28-2015 10:36 AM

Are those two separate events or one event that you are extracting the ABC and XYZ from?

If it's two separate events, you can easily use an "or" in your regex to look for two different patterns. Try this:

<base search> | rex "(Response Received from|has been received from) (?P<my_field>[^\s]+)( service)? for Submit$"

This basically looks for either "Response Received from" or "has been received from" before capturing your field, and looks for "for Submit" after the capture. Note that the "$" anchors the "for Submit" to the end of the event, you may want to skip that if the above were shortened examples of your events.

Technically because your two events are so similar it would be simpler to do a simpler rex:

<base search> | rex "(?P<my_field>[^\s]+)( service)? for Submit$"

Because in both your cases, the value is followed by "for Submit" or "service for Submit" it really doesn't matter what comes before it.

Hope this helps

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...