Splunk Search
Highlighted

Need help of rex?

Dear Friends,

Need you're help on writing a rex. As per my requirement. what ever value comes before a space need to be considered as first value and need to be extracted. values need to extracted and stored in field (checkme,DATAACE, FdTest@Labcatr, FGsam, Check@#$values, D&fuse,Datanow)

Sample try (?P<Clu>DATA_ACE)

Sample data:

DATA_ACE_CHE_Team
FdTest@Labcatr
DATA_ACE_CADD_Team
DATA_ACE_CAM_Team
DATA_ACE
DATA_ACE_CSS_Team
FG_sam
Check@#$values
checkme Data
D&*fuse
Data*now

Thanks in advance ...

Tags (2)
0 Karma
Highlighted

Re: Need help of rex?

Contributor

Hi ,
Could you please try the below.

|makeresults
|eval _raw= "input_field
DATA_ACE_CHE_Team
FdTest@Labcatr
DATA_ACE_CADD_Team
DATA_ACE_CAM_Team
DATA_ACE
DATA_ACE_CSS_Team
FG_sam
Check@#$values
checkme Data
D&*fuse
 Data*now"
|multikv forceheader=1
|table input_field
|rex field=input_field "(?P<extracted_field>.*)\s"

Modify the last line if you want to extract anything before the special characters like -

|rex field=input_field "(?P<extracted_field>.*)(\_|\@|\s|\*)"
0 Karma
Highlighted

Re: Need help of rex?

HI @dindu

Thanks for ur reply. I forgot to mention one more thing for some case we need only values before 2nd . Out of above sample data i need to extract value as mentioned below .
(checkme,DATA
ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&fuse,Datanow)

Thanks..

0 Karma
Highlighted

Re: Need help of rex?

Contributor

Hi,

Based on your requirement could you please try the below.

  |makeresults
  |eval _raw= "input_field
    DATA_ACE_CHE_Team
    FdTest@Labcatr
   DATA_ACE_CADD_Team
   DATA_ACE_CAM_Team
   DATA_ACE
   DATA_ACE_CSS_Team
   FG_sam
  Check@#$values
  checkme Data
  D&*fuse
  Data*now"
  |multikv forceheader=1
  |table input_field
  |rex field=input_field "(?P<extracted_field>.*)(?:\_.+\_)"

Also, could you please give expected input and output fields if this is not your requirement?

0 Karma
Highlighted

Re: Need help of rex?

Ultra Champion
| makeresults 
| eval data="(checkme,DATA_ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&*fuse,Data*now)" 
| rex field=data max_match=0 "(?<extracted>\w[^,()]*)"
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.