Splunk Search
Highlighted

Need help of rex?

Dear Friends,

Need you're help on writing a rex. As per my requirement. what ever value comes before a space need to be considered as first value and need to be extracted. values need to extracted and stored in field (checkme,DATAACE, FdTest@Labcatr, FGsam, Check@#$values, D&fuse,Datanow)

Sample try (?P<Clu>DATA_ACE)

Sample data:

DATA_ACE_CHE_Team
FdTest@Labcatr
DATA_ACE_CADD_Team
DATA_ACE_CAM_Team
DATA_ACE
DATA_ACE_CSS_Team
FG_sam
Check@#$values
checkme Data
D&*fuse
Data*now

Thanks in advance ...

Tags (2)
0 Karma
Highlighted

Re: Need help of rex?

Contributor

Hi ,
Could you please try the below.

|makeresults
|eval _raw= "input_field
DATA_ACE_CHE_Team
FdTest@Labcatr
DATA_ACE_CADD_Team
DATA_ACE_CAM_Team
DATA_ACE
DATA_ACE_CSS_Team
FG_sam
Check@#$values
checkme Data
D&*fuse
 Data*now"
|multikv forceheader=1
|table input_field
|rex field=input_field "(?P<extracted_field>.*)\s"

Modify the last line if you want to extract anything before the special characters like -

|rex field=input_field "(?P<extracted_field>.*)(\_|\@|\s|\*)"
0 Karma
Highlighted

Re: Need help of rex?

HI @dindu

Thanks for ur reply. I forgot to mention one more thing for some case we need only values before 2nd . Out of above sample data i need to extract value as mentioned below .
(checkme,DATA
ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&fuse,Datanow)

Thanks..

0 Karma
Highlighted

Re: Need help of rex?

Contributor

Hi,

Based on your requirement could you please try the below.

  |makeresults
  |eval _raw= "input_field
    DATA_ACE_CHE_Team
    FdTest@Labcatr
   DATA_ACE_CADD_Team
   DATA_ACE_CAM_Team
   DATA_ACE
   DATA_ACE_CSS_Team
   FG_sam
  Check@#$values
  checkme Data
  D&*fuse
  Data*now"
  |multikv forceheader=1
  |table input_field
  |rex field=input_field "(?P<extracted_field>.*)(?:\_.+\_)"

Also, could you please give expected input and output fields if this is not your requirement?

0 Karma
Highlighted

Re: Need help of rex?

Ultra Champion
| makeresults 
| eval data="(checkme,DATA_ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&*fuse,Data*now)" 
| rex field=data max_match=0 "(?<extracted>\w[^,()]*)"
0 Karma