Solved: Rex Command with multiple formatting options

Dude · ‎04-01-2021

Trying to get the rex command to extract the last name when the user field has multiple formatting outputs below. Is there a way to incorporate both options into a rex command?

| rex field=user "(?<user_last_name>[A-Za-z]+),.*"

Smith, Bob

bob.t.smith.abc

richgalloway · ‎04-01-2021

I forgot Splunk doesn't support (?J). Sorry about that. Try this, instead. It extracts separate last name fields and then chooses the one that is not null.

| rex field=user "(?J)(?<last_name1>[A-Za-z]+),.*|[^\.]+\.[^\.]+\.(?<last_name2>\w+)"
| eval user_last_name=coalesce(last_name1, last_name2)

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-01-2021

This regex fits the two examples, but there are many other ways to represent names.

| rex field=user "(?J)(?<user_last_name>[A-Za-z]+),.*|[^\.]+\.[^\.]+\.(?<user_last_name>\w+)"

---
If this reply helps you, Karma would be appreciated.

Dude · ‎04-01-2021

Each one of the halves work independently or if I create another name group they both work, but for whatever reason the (?J) modifier is not working. Also for the thread I did not know these regex modifiers existed. Regex Modifiers

richgalloway · ‎04-01-2021

I forgot Splunk doesn't support (?J). Sorry about that. Try this, instead. It extracts separate last name fields and then chooses the one that is not null.

| rex field=user "(?J)(?<last_name1>[A-Za-z]+),.*|[^\.]+\.[^\.]+\.(?<last_name2>\w+)"
| eval user_last_name=coalesce(last_name1, last_name2)

---
If this reply helps you, Karma would be appreciated.

Rex Command with multiple formatting options

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!