Solved: Re: Regex field extraction

nmsaraujo · ‎08-03-2021

Hello all,

I have one sourcetype that does not allow me to create a static field extraction, because we have several fields with different name and is almost impossible to cover all of them.

My data is similar to this:

fieldname1 : values1 with spaces - fieldname2 : value2 - fieldname3 : value-for-field3
field name4 : values4withoutspaces - fieldname5 : value5 (this should be included in value5) - fieldname6 : value-for-field3 fieldname7 :

All kv pairs are delimitd by " - " and the pair delimiter is " : " .

To cover this requirement, I have a field transforms that uses a regex to calculate key-value pairs automatically

[wildcard_extractions]
CLEAN_KEYS = 0
FORMAT = $1::$2
REGEX = (\S+)\s:\s(\S+)

PROBLEM: When the field name or the value has spaces, I can not get the full values.

Could some, more experienced than me, help me with my regex expression, please?

https://regex101.com/r/R9XhmD/1

ITWhisperer · ‎08-03-2021

This might work better if you have spaces in fieldnames

(?<fieldname>.+?)\s:\s(?<fieldvalue>.+?)(?<!\s)?(\s-|$)

View solution in original post

ITWhisperer · ‎08-03-2021

Try something like this

(?<fieldname>[\S]+) : (?<fieldvalue>[^:]+)(?<!\s)?(\s-|$)

nmsaraujo · ‎08-03-2021

Thanks @ITWhisperer for the swift reply.

With your suggested regex I still have issues with fields and values that includes spaces, right?

Thanks

ITWhisperer · ‎08-03-2021

This might work better if you have spaces in fieldnames

(?<fieldname>.+?)\s:\s(?<fieldvalue>.+?)(?<!\s)?(\s-|$)

nmsaraujo · ‎08-04-2021

Thanks @ITWhisperer

Great work!!!!!

Regex field extraction

field extraction

regex

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation