Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Nested Field Extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have extracted a field that contains two values separated by a dash character "-". Now I want to retain that field/value as well as splitting its value into two additional fields.
For example:
combined_field = "1A-1B" (or src_zone-dst_zone)
src_zone = "1A" (one or more numbers followed by a single letter)
dst_zone = "1B" (one or more numbers followed by a single letter)
This rex worked (?< combined_field>[^\t]+) for capturing combined_field = "1A-1B".
(fields are tab separated)
This rex worked (?< combined_field>(?< src_zone>\d+\w+)[^\t]+) for capturing both combined_field = "1A-1B" and src_zone = "1A".
However, this rex (?< combined_field>(?< src_zone>\d+\w+)[\-](?< dst_zone>\d+\w+)[^\t]+) fails to capture src_zone or dst_zone.
How can I revise this rex to capture the combined_field in its entirety, src_zone and dst_zone?
Thanks,
Patrick
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After some experimentation I arrived at a solution:
(?< combined_field>(?< src_zone>\d+\w+)[\-](?< dst_zone>[^\t]+))\t+
Yielded the desired results:
combined_field = "1A-1B"
src_zone = "1A"
dst_zone = "1B"
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After some experimentation I arrived at a solution:
(?< combined_field>(?< src_zone>\d+\w+)[\-](?< dst_zone>[^\t]+))\t+
Yielded the desired results:
combined_field = "1A-1B"
src_zone = "1A"
dst_zone = "1B"
Thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search | rex field=yourfield "(?<combined>(?<src_zone>.*)[\-](?<dst_zone>[^t]+))"
If you're not keen on doing everything in one rex command only, there are multiple options.
your base search | rex field=yourfield "(?<combined_field>[^t]+)" | rex field=combined_field "(?<src_zone>.*)[\-](?<dst_zone>.*)"
your base search | rex field=yourfield "(?<src_zone>.*)[\-](?<dst_zone>.*)[t]+" | eval combined_field= src_zone."-".dst_zone
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should have specified that there are additional tab separated fields after combined_field. When I attempted your first suggestion it captured more than I wanted.
However, I am getting closer using a variation on your first suggestion:
(?< combined_field>(?< src_zone>\d+\w+)[\-](?< dst_zone>[^\t]))[^\t]+
yields
combined_field = "1A-1"
src_zone = "1A"
dst_zone = "1"
combined_field and dst_zone are getting clipped by one character.
Any more suggestions?
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Accelerating Observability as Code with the Splunk AI Assistant
