Solved: Rex Command with multiple formatting options

Dude · ‎04-01-2021

Trying to get the rex command to extract the last name when the user field has multiple formatting outputs below. Is there a way to incorporate both options into a rex command?

| rex field=user "(?<user_last_name>[A-Za-z]+),.*"

Smith, Bob

bob.t.smith.abc

richgalloway · ‎04-01-2021

I forgot Splunk doesn't support (?J). Sorry about that. Try this, instead. It extracts separate last name fields and then chooses the one that is not null.

| rex field=user "(?J)(?<last_name1>[A-Za-z]+),.*|[^\.]+\.[^\.]+\.(?<last_name2>\w+)"
| eval user_last_name=coalesce(last_name1, last_name2)

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-01-2021

This regex fits the two examples, but there are many other ways to represent names.

| rex field=user "(?J)(?<user_last_name>[A-Za-z]+),.*|[^\.]+\.[^\.]+\.(?<user_last_name>\w+)"

---
If this reply helps you, Karma would be appreciated.

Dude · ‎04-01-2021

Each one of the halves work independently or if I create another name group they both work, but for whatever reason the (?J) modifier is not working. Also for the thread I did not know these regex modifiers existed. Regex Modifiers

richgalloway · ‎04-01-2021

I forgot Splunk doesn't support (?J). Sorry about that. Try this, instead. It extracts separate last name fields and then chooses the one that is not null.

| rex field=user "(?J)(?<last_name1>[A-Za-z]+),.*|[^\.]+\.[^\.]+\.(?<last_name2>\w+)"
| eval user_last_name=coalesce(last_name1, last_name2)

---
If this reply helps you, Karma would be appreciated.

Rex Command with multiple formatting options

rex

There's No Place Like Chrome and the Splunk Platform

The Great Resilience Quest: 5th Leaderboard Update

Devesh Logendran, Splunk, and the Singapore Cyber Conquest