Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Nested Field Extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have extracted a field that contains two values separated by a dash character "-". Now I want to retain that field/value as well as splitting its value into two additional fields.
For example:
combined_field = "1A-1B" (or src_zone-dst_zone)
src_zone = "1A" (one or more numbers followed by a single letter)
dst_zone = "1B" (one or more numbers followed by a single letter)
This rex worked (?< combined_field>[^\t]+) for capturing combined_field = "1A-1B".
(fields are tab separated)
This rex worked (?< combined_field>(?< src_zone>\d+\w+)[^\t]+) for capturing both combined_field = "1A-1B" and src_zone = "1A".
However, this rex (?< combined_field>(?< src_zone>\d+\w+)[\-](?< dst_zone>\d+\w+)[^\t]+) fails to capture src_zone or dst_zone.
How can I revise this rex to capture the combined_field in its entirety, src_zone and dst_zone?
Thanks,
Patrick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After some experimentation I arrived at a solution:
(?< combined_field>(?< src_zone>\d+\w+)[\-](?< dst_zone>[^\t]+))\t+
Yielded the desired results:
combined_field = "1A-1B"
src_zone = "1A"
dst_zone = "1B"
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After some experimentation I arrived at a solution:
(?< combined_field>(?< src_zone>\d+\w+)[\-](?< dst_zone>[^\t]+))\t+
Yielded the desired results:
combined_field = "1A-1B"
src_zone = "1A"
dst_zone = "1B"
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search | rex field=yourfield "(?<combined>(?<src_zone>.*)[\-](?<dst_zone>[^t]+))"
If you're not keen on doing everything in one rex command only, there are multiple options.
your base search | rex field=yourfield "(?<combined_field>[^t]+)" | rex field=combined_field "(?<src_zone>.*)[\-](?<dst_zone>.*)"
your base search | rex field=yourfield "(?<src_zone>.*)[\-](?<dst_zone>.*)[t]+" | eval combined_field= src_zone."-".dst_zone
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should have specified that there are additional tab separated fields after combined_field. When I attempted your first suggestion it captured more than I wanted.
However, I am getting closer using a variation on your first suggestion:
(?< combined_field>(?< src_zone>\d+\w+)[\-](?< dst_zone>[^\t]))[^\t]+
yields
combined_field = "1A-1"
src_zone = "1A"
dst_zone = "1"
combined_field and dst_zone are getting clipped by one character.
Any more suggestions?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Casting Call: Compete in Cyber Games
Announcing Modern Navigation: A New Era of Splunk User Experience
How Edge Processor's Durable Queue Works
