Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Regex Field Extraction in Data Model

han
Engager
‎01-10-2022 02:11 AM

Hi all. I'm fairly new to Splunk and regex. I've got many event logs and I'm making use of data models beforing generating different visualisations.

 

The fields discovered isn't good enough for my usecase thus I need to extract specific fields. Right now, using the following regex

 

(?<field_name>(([a-zA-Z]+(\.[a-zA-Z]+)+)_([a-zA-Z]+(|[a-zA-Z]+)+)|/^([^.]+)/))

 

, I'm able to extract this pattern 

 

ABC|DEF|GHI

 

most accurately. 

Subsequently, I would like extract each respective word into its own field. In total 3 different fields for ABC, DEF and GHI respectively.

Is there a way I extract each individual word? How can perform regex expression on top of my current regex expression result? Thank you.

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-10-2022 03:45 AM

Hi

excellent place to check and training with your regex is regex101.com. In there you could try with visual feedback how those are working.

To separate those to own variables can be do at least next ways.

... base search ... 
| rex "(?<field 1>[rex for field one])...(?<f2>[rex for f2])...(?<f3>[rex for f3])"

or

... base search ... 
| rex "(?<field 1>[rex for field one])"
| rex "(?<f2>[rex for f2])" 
| rex "(?<f3>[rex for f3])"

 But which one is better for you? As usually it depends on what your events are. Are those always in same order   and all in place (then probably first one is better). Or can order be different and are those all present? In this case probably second one is better. Of course in second one you must separate those events from each other to get values to correct field name. For that reason you must add some additional strings etc. to those rex to match to the correct part of event.

And one option to use is add those extractions to props.conf and transforms.com especially when you need those in several queries.

Two other commands which can help you https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Extract and https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Erex

r. Ismo

0 Karma
Reply

han
Engager
‎01-10-2022 07:06 AM

Hey @isoutamo. Thanks for the suggestion. However, my question is specific to forming the regex expression in the Regular Expression box within "App/Search/data_model_editor" of Splunk, and not about forming a search query as you've suggested.

Screen Shot 2022-01-10 at 11.08.00 PM.png

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...