Solved: Regex field values into new fields

lbogle · ‎03-03-2016

Hello Splunkers,

I am trying to take the values from an existing field/value pair and put them into new fields.
host=HOTX003ASA2
host=RECA002JUN1
host=LLCA323PAN2

1st two characters=City
2nd two character=State
3 digits=Site no.
Last 3 characters=FW vendor
Last number=Cluster no.

I setup a regex in regex101.com that grabbed the first two characters successfully "^.{2}" but Splunk gives me the following error: The regex '^\d{2}' does not extract anything.

How do I grab the character pairs as described and put them into their own fields?

Thanks!

somesoni2 · ‎03-03-2016

Try like this

your base search with field host | rex field=host "(?<City>\S{2})(?<State>\S{2})(?<Site_No>\d{3})(?<FW_Vendor>\S{3})(?<Cluster_No>\d)"

View solution in original post

somesoni2 · ‎03-03-2016

Try like this

your base search with field host | rex field=host "(?<City>\S{2})(?<State>\S{2})(?<Site_No>\d{3})(?<FW_Vendor>\S{3})(?<Cluster_No>\d)"

lbogle · ‎03-03-2016

Thanks! I think I get it now!

Regex field values into new fields

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?

Regex field values into new fields

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2