Solved: Regex field values into new fields

lbogle · ‎03-03-2016

Hello Splunkers,

I am trying to take the values from an existing field/value pair and put them into new fields.
host=HOTX003ASA2
host=RECA002JUN1
host=LLCA323PAN2

1st two characters=City
2nd two character=State
3 digits=Site no.
Last 3 characters=FW vendor
Last number=Cluster no.

I setup a regex in regex101.com that grabbed the first two characters successfully "^.{2}" but Splunk gives me the following error: The regex '^\d{2}' does not extract anything.

How do I grab the character pairs as described and put them into their own fields?

Thanks!

somesoni2 · ‎03-03-2016

Try like this

your base search with field host | rex field=host "(?<City>\S{2})(?<State>\S{2})(?<Site_No>\d{3})(?<FW_Vendor>\S{3})(?<Cluster_No>\d)"

View solution in original post

somesoni2 · ‎03-03-2016

Try like this

your base search with field host | rex field=host "(?<City>\S{2})(?<State>\S{2})(?<Site_No>\d{3})(?<FW_Vendor>\S{3})(?<Cluster_No>\d)"

lbogle · ‎03-03-2016

Thanks! I think I get it now!

Regex field values into new fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation