Solved: Regex field values into new fields

lbogle · ‎03-03-2016

Hello Splunkers,

I am trying to take the values from an existing field/value pair and put them into new fields.
host=HOTX003ASA2
host=RECA002JUN1
host=LLCA323PAN2

1st two characters=City
2nd two character=State
3 digits=Site no.
Last 3 characters=FW vendor
Last number=Cluster no.

I setup a regex in regex101.com that grabbed the first two characters successfully "^.{2}" but Splunk gives me the following error: The regex '^\d{2}' does not extract anything.

How do I grab the character pairs as described and put them into their own fields?

Thanks!

somesoni2 · ‎03-03-2016

Try like this

your base search with field host | rex field=host "(?<City>\S{2})(?<State>\S{2})(?<Site_No>\d{3})(?<FW_Vendor>\S{3})(?<Cluster_No>\d)"

View solution in original post

somesoni2 · ‎03-03-2016

Try like this

your base search with field host | rex field=host "(?<City>\S{2})(?<State>\S{2})(?<Site_No>\d{3})(?<FW_Vendor>\S{3})(?<Cluster_No>\d)"

lbogle · ‎03-03-2016

Thanks! I think I get it now!

Regex field values into new fields

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Are you a member of the Splunk Community?

Regex field values into new fields

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...