Solved: Re: Regex to extract multiple fields from single e...

gvnd · ‎06-05-2017

Hi, I want to extract particular fields from single event based on fields position.

Sample Data:

event1: aaa|bbb|ccc|234| | f5h | |tgvsfj| jhsfj| | | | 6384;
event2: aaa|ggg|hhh|56f| | 563 | |dhr| jhsfj| | | | 6385;

Now, I want to extract 3rd field(i.e ccc) and 7th field(i.e some spaces,nodata)

My data may include spaces.

I need regex to extract those fields only.

Thanks in advance.

dineshraj9 · ‎06-05-2017

You see each field is a set of characters which is "NOT |" followed by a "|".

| rex "([^\|]*\|){2}(?<thirdField>[^\|]*)\|([^\|]*\|){3}(?<seventhField>[^\|]*)"

Test regular expressions using https://regex101.com/r/Odnybw/1

View solution in original post

inventsekar · ‎06-05-2017

Please check this -
sourcetype=sample | rex field=_raw "^(?:[^\|\n]*\|){2}(?P<string1>\w+)(?:[^ \n]* ){3}\|(?P<string2>\s+)" | table string1 string2 _raw

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

dineshraj9 · ‎06-05-2017

You see each field is a set of characters which is "NOT |" followed by a "|".

| rex "([^\|]*\|){2}(?<thirdField>[^\|]*)\|([^\|]*\|){3}(?<seventhField>[^\|]*)"

Test regular expressions using https://regex101.com/r/Odnybw/1

Regex to extract multiple fields from single event

Buttercup Games: Further Dashboarding Techniques (Part 6)

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts