Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help of rex?

Shan
Builder
‎04-06-2020 07:12 AM

Dear Friends,

Need you're help on writing a rex. As per my requirement. what ever value comes before a space need to be considered as first value and need to be extracted. values need to extracted and stored in field (checkme,DATA_ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&*fuse,Data*now)

Sample try (?P<Clu>DATA_ACE)

Sample data:

DATA_ACE_CHE_Team
FdTest@Labcatr
DATA_ACE_CADD_Team
DATA_ACE_CAM_Team
DATA_ACE
DATA_ACE_CSS_Team
FG_sam
Check@#$values
checkme Data
D&*fuse
Data*now

Thanks in advance ...

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎04-06-2020 01:19 PM 
| makeresults 
| eval data="(checkme,DATA_ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&*fuse,Data*now)" 
| rex field=data max_match=0 "(?<extracted>\w[^,()]*)"
0 Karma
Reply

dindu
Contributor
‎04-06-2020 07:26 AM

Hi ,
Could you please try the below.

|makeresults
|eval _raw= "input_field
DATA_ACE_CHE_Team
FdTest@Labcatr
DATA_ACE_CADD_Team
DATA_ACE_CAM_Team
DATA_ACE
DATA_ACE_CSS_Team
FG_sam
Check@#$values
checkme Data
D&*fuse
 Data*now"
|multikv forceheader=1
|table input_field
|rex field=input_field "(?P<extracted_field>.*)\s"

Modify the last line if you want to extract anything before the special characters like - 

|rex field=input_field "(?P<extracted_field>.*)(\_|\@|\s|\*)"
0 Karma
Reply

Shan
Builder
‎04-06-2020 07:41 AM

HI @dindu

Thanks for ur reply. I forgot to mention one more thing for some case we need only values before 2nd _. Out of above sample data i need to extract value as mentioned below .
(checkme,DATA_ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&*fuse,Data*now)

Thanks..

0 Karma
Reply

dindu
Contributor
‎04-07-2020 06:49 AM

Hi,

Based on your requirement could you please try the below.

  |makeresults
  |eval _raw= "input_field
    DATA_ACE_CHE_Team
    FdTest@Labcatr
   DATA_ACE_CADD_Team
   DATA_ACE_CAM_Team
   DATA_ACE
   DATA_ACE_CSS_Team
   FG_sam
  Check@#$values
  checkme Data
  D&*fuse
  Data*now"
  |multikv forceheader=1
  |table input_field
  |rex field=input_field "(?P<extracted_field>.*)(?:\_.+\_)"

Also, could you please give expected input and output fields if this is not your requirement?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...