Splunk Search

Regex multiple values from a string

timyong80
Explorer

 

Hello,

How can I extract multiple values from a string after each slash? For example below, I would like to extract field1 with the value "Subscription", field2 with the value "83C4EEEF-XXOA-1234" and so on.

/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS

Thank you.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You could use split instead of rex

| makeresults
| eval _raw="/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS"
| eval parts=split(_raw,"/")

You end up with a multi-value field then you can use mvindex to pull out specific parts. 

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@timyong80 

 

You can try something like below search. Just go through my sample search and update as per your requirement.

| makeresults
| eval _raw="/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS" | eval uq=1 | accum uq
| eval parts=split(_raw,"/")
| stats count by uq, parts | where parts!=""
| eval a=1 | accum a | eval field{a} = parts | fields - a,count, parts
| stats values(*) as * by uq

timyong80
Explorer

Thank you @kamlesh_vaghela ! I tried the section below but the search did not complete its run. It just keeps searching. But the first 3 lines helped to get what I wanted to achieve after adding mvindex.

| stats count by uq, parts | where parts!=""
| eval a=1 | accum a | eval field{a} = parts | fields - a,count, parts
| stats values(*) as * by uq

 Thank you for your help and suggestion!

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You could use split instead of rex

| makeresults
| eval _raw="/SUBSCRIPTIONS/83C4EEEF-XXOA-1234/VIRTUALGROUPS/JOHN.DOE/PROVIDERS/MICROSOFT.GRAPH/DISKENCRYPTIONSETS/JOHN.DOE-TBHOST-DWS"
| eval parts=split(_raw,"/")

You end up with a multi-value field then you can use mvindex to pull out specific parts. 

timyong80
Explorer

Thanks @ITWhisperer. That looks like a hardcoded entry but the _raw column has unique values in each record. Is there a better way for this?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I am not sure I understand - the first two lines just set up sample data and should be replaced by your search. You will then have a multi-value field called parts for each event returned by your search which you can then select the parts you want into different fields with the mvindex command. If that isn't what you want to do, please explain further

0 Karma

timyong80
Explorer

Sorry I misunderstood the first two lines. I've just tried it on my search and it works! I then used mvindex like you suggested to bring out the parts to each new field.

| eval field1=mvindex(parts,0)

 Thank you very much sir.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...