Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex Command with multiple formatting options

Dude
Engager
‎04-01-2021 07:59 AM

Trying to get the rex command to extract the last name when the user field has multiple formatting outputs below. Is there a way to incorporate both options into a rex command?

| rex field=user "(?<user_last_name>[A-Za-z]+),.*" 

Smith, Bob

bob.t.smith.abc

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2021 01:07 PM

I forgot Splunk doesn't support (?J).  Sorry about that.  Try this, instead.  It extracts separate last name fields and then chooses the one that is not null.

| rex field=user "(?J)(?<last_name1>[A-Za-z]+),.*|[^\.]+\.[^\.]+\.(?<last_name2>\w+)"
| eval user_last_name=coalesce(last_name1, last_name2)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2021 10:37 AM

This regex fits the two examples, but there are many other ways to represent names.

| rex field=user "(?J)(?<user_last_name>[A-Za-z]+),.*|[^\.]+\.[^\.]+\.(?<user_last_name>\w+)"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Dude
Engager
‎04-01-2021 11:59 AM

Each one of the halves work independently or if I create another name group they both work, but for whatever reason the (?J) modifier is not working. Also for the thread I did not know these regex modifiers existed.  Regex Modifiers 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2021 01:07 PM

I forgot Splunk doesn't support (?J).  Sorry about that.  Try this, instead.  It extracts separate last name fields and then chooses the one that is not null.

| rex field=user "(?J)(?<last_name1>[A-Za-z]+),.*|[^\.]+\.[^\.]+\.(?<last_name2>\w+)"
| eval user_last_name=coalesce(last_name1, last_name2)
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...