Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Regex Field Extraction in Data Model

han
Engager
‎01-10-2022 02:11 AM

Hi all. I'm fairly new to Splunk and regex. I've got many event logs and I'm making use of data models beforing generating different visualisations.

 

The fields discovered isn't good enough for my usecase thus I need to extract specific fields. Right now, using the following regex

 

(?<field_name>(([a-zA-Z]+(\.[a-zA-Z]+)+)_([a-zA-Z]+(|[a-zA-Z]+)+)|/^([^.]+)/))

 

, I'm able to extract this pattern 

 

ABC|DEF|GHI

 

most accurately. 

Subsequently, I would like extract each respective word into its own field. In total 3 different fields for ABC, DEF and GHI respectively.

Is there a way I extract each individual word? How can perform regex expression on top of my current regex expression result? Thank you.

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-10-2022 03:45 AM

Hi

excellent place to check and training with your regex is regex101.com. In there you could try with visual feedback how those are working.

To separate those to own variables can be do at least next ways.

... base search ... 
| rex "(?<field 1>[rex for field one])...(?<f2>[rex for f2])...(?<f3>[rex for f3])"

or

... base search ... 
| rex "(?<field 1>[rex for field one])"
| rex "(?<f2>[rex for f2])" 
| rex "(?<f3>[rex for f3])"

 But which one is better for you? As usually it depends on what your events are. Are those always in same order   and all in place (then probably first one is better). Or can order be different and are those all present? In this case probably second one is better. Of course in second one you must separate those events from each other to get values to correct field name. For that reason you must add some additional strings etc. to those rex to match to the correct part of event.

And one option to use is add those extractions to props.conf and transforms.com especially when you need those in several queries.

Two other commands which can help you https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Extract and https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Erex

r. Ismo

0 Karma
Reply

han
Engager
‎01-10-2022 07:06 AM

Hey @isoutamo. Thanks for the suggestion. However, my question is specific to forming the regex expression in the Regular Expression box within "App/Search/data_model_editor" of Splunk, and not about forming a search query as you've suggested.

Screen Shot 2022-01-10 at 11.08.00 PM.png

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...