Splunk Search

Regex multiple values from a string

timyong80
Explorer

 

Hello,

How can I extract multiple values from a string after each slash? For example below, I would like to extract field1 with the value "Subscription", field2 with the value "83C4EEEF-XXOA-1234" and so on.

/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS

Thank you.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You could use split instead of rex

| makeresults
| eval _raw="/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS"
| eval parts=split(_raw,"/")

You end up with a multi-value field then you can use mvindex to pull out specific parts. 

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@timyong80 

 

You can try something like below search. Just go through my sample search and update as per your requirement.

| makeresults
| eval _raw="/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS" | eval uq=1 | accum uq
| eval parts=split(_raw,"/")
| stats count by uq, parts | where parts!=""
| eval a=1 | accum a | eval field{a} = parts | fields - a,count, parts
| stats values(*) as * by uq

timyong80
Explorer

Thank you @kamlesh_vaghela ! I tried the section below but the search did not complete its run. It just keeps searching. But the first 3 lines helped to get what I wanted to achieve after adding mvindex.

| stats count by uq, parts | where parts!=""
| eval a=1 | accum a | eval field{a} = parts | fields - a,count, parts
| stats values(*) as * by uq

 Thank you for your help and suggestion!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could use split instead of rex

| makeresults
| eval _raw="/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS"
| eval parts=split(_raw,"/")

You end up with a multi-value field then you can use mvindex to pull out specific parts. 

timyong80
Explorer

Thanks @ITWhisperer. That looks like a hardcoded entry but the _raw column has unique values in each record. Is there a better way for this?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure I understand - the first two lines just set up sample data and should be replaced by your search. You will then have a multi-value field called parts for each event returned by your search which you can then select the parts you want into different fields with the mvindex command. If that isn't what you want to do, please explain further

0 Karma

timyong80
Explorer

Sorry I misunderstood the first two lines. I've just tried it on my search and it works! I then used mvindex like you suggested to bring out the parts to each new field.

| eval field1=mvindex(parts,0)

 Thank you very much sir.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...