Solved: Re: New Field From a Current Field Up to a Certain...

aferone · ‎11-26-2013

I have a field named FieldA. It looks like this:

10.10.10.10->10.11.11.11

I want to create a new field (FieldB) that is everything left of the "->". I tried using LTRIM, among others, but I can't get it working. This "seems" easy. 🙂

Help?

Thank you!

kristian_kolb · ‎11-26-2013

 ... | rex field=fieldA "^(?<fieldB>[\d.]+)"

should do it...

/k

View solution in original post

aholzer · ‎11-26-2013

Combine Kristian and Luke's answers:

... | rex field=fieldA "^(?\d+\.\d+\.\d+\.\d+)"

This should do it. Luke's answer was getting the right side of your fieldA, while Kristian's answer wasn't properly accounting for the periods in the IP.

kristian_kolb · ‎11-26-2013

 ... | rex field=fieldA "^(?<fieldB>[\d.]+)"

should do it...

/k

aferone · ‎11-26-2013

Thanks, Kristian!

kristian_kolb · ‎11-26-2013

Sorry, I could have explained more clearly;

From the start of the string - ^ - start capturing - ( - a field called fieldb - ? - that consists of one or more digits and dots - [\d.]+ - and then stop the capture - )

/k

aferone · ‎11-26-2013

Good stuff here, everyone. Thanks again!

aelliott · ‎11-26-2013

so if it weren't always numbers and dots then
rex field=FieldA "^(?.*)->" would work.. after all.. it could be an IPv6

lukejadamec · ‎11-26-2013

Kristian's capture group includes only digits and dots, so when it gets to the -> it stops, and the ? grabs the first set that matches the group.

I forgot which way left was.

aelliott · ‎11-26-2013

http://www.splunk.com/web_assets/pdfs/secure/Splunk_Quick_Reference_Guide.pdf may help.. I'm not that good myself and am not quite sure how it excludes the -> myself but you could include the -> at the very end if you wanted.

aferone · ‎11-26-2013

How, can you explain exactly how this work? My RegEx is terrible. Thanks again!

aferone · ‎11-26-2013

OK, I removed my top and table commands, and the rex is working just fine. I need to see how to format this data now. Thank you very much!!

aferone · ‎11-26-2013

Nope, no typos.

How does the rex work with this? How does it know to stop at the dash in the original string?

gfuente · ‎11-26-2013

Is there a typo in the field name? The first F of the field name is uppercase?

... | rex field=FieldA "^(?[\d.]+)"

aferone · ‎11-26-2013

Hmmm. I tried this, but I'm not getting data back in the new field.

lukejadamec · ‎11-26-2013

Can you post the _raw event that contains the data?
In the mean time, have you tried
rex ".*->(?<newfield>\d+\.\d+\.\d+\.\d+)\D.*"

Is the new field always an IP?

New Field From a Current Field Up to a Certain Character (In a Search)

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

New Field From a Current Field Up to a Certain Character (In a Search)

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR