Splunk Search

Regex for extraction of Pattern from existing field

Sourabhv05
Communicator

I want to extract a pattern from existing field "source" whose value is /abc/Prod/log/p123ot12. I want to extract p123ot12 from this source field and want to put it in new field called job.

Need your assistance ASAP.

Tags (3)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Sourabhv05,

So, you want an answer asap 😉

Your regex is pretty easy, you're looking for everything after the last / so try this:

your base search goes here | rex field=source "(?<job>[^\/]*)$" | table job

This will extract everything after the last / and put it in a field called job.

You can test and learn regex over here https://regex101.com

Hope that helps and was asap enough 😉

cheers, MuS

Sourabhv05
Communicator

I need one more help. I have a pattern ABCDEF**** in my logs which are getting indexed on Splunk . I need to put that pattern in an field which i want to display in table along with job, How can i do that ?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

Add the field called source to your table..

... | table source , myfield1, myfield2, myfieldN

MuS
SplunkTrust
SplunkTrust

Uppsss, my bad. looks like I got the additional question wrong 😉

0 Karma

MuS
SplunkTrust
SplunkTrust

Okay, instead of asking for more help; Why don't you read the docs about the field extractor http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/ExtractfieldsinteractivelywithIFX and learn how to use it. It helps you to get anything out of your events into fields, which then can be used in any further search within the same app. Make your life much easier 😉

0 Karma

Sourabhv05
Communicator

Hi Mus,

I am getting error while pasting this regex after my search. Error is Error in 'SearchOperator:regex': Usage: regex <field> (=|!=) <regex>.

My base search is index = abc host = "xyz"

When i have put it like index = abc host = "xyz" |regex field=source "(?<job>[^\/]*)$" | table job it gave me above error. Please help

0 Karma

MuS
SplunkTrust
SplunkTrust

Well do you have a field called source? Try rex instead of regex and if it's still not working try this:

 index=abc host="xyz" |rex "(?&lt;job&gt;[^/]*)$" | table job

Sourabhv05
Communicator

thanks alot Mus. It works perfectly.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...