Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Rex question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rex question
Hello everyone, I am trying to extract several “NEW” fields from a field and I am having trouble doing so.
The field I am trying to extract from is a default field in an index but for some reason, the field name and its contents are not located in the "_raw" field. So, I am unable to use the built-in Splunk extractor to accomplish what I am trying to do.
The contents of the sourcefield varies as seen below.
-
sourcefield=/var/log/bash_history/localuser/DOMAIN\first.last.domain
• I need to extract "localuser" as field1, "DOMAIN" as field 2, and "first.last.domain" as field3. -
sourcefield=/var/log/bash_history/DOMAIN\first.last.domain/DOMAIN\first.last.domain
• I need to extract “DOMAIN” as field2 and “first.last.domain” as field3
Would it make sense to use the first example to extract all fields since both content paths share similar strings with the exception of “localuser”? That way, if the “localuser” field doesn’t exist it would just see it as NULL value?
Any help will be greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval sourcefield="/var/log/bash_history/localuser/DOMAIN\first.last.domain"
| appendpipe
[ eval sourcefield="/var/log/bash_history/DOMAIN\first.last.domain/DOMAIN\first.last.domain"]
| rename COMMENT as "from here, the logic"
| eval tmp1=mvindex(split(sourcefield,"/"),4), tmp2=mvindex(split(sourcefield,"/"),5)
| eval field1=if(tmp1!=tmp2,tmp1,NULL)
| eval field2=if(tmp1==tmp2,mvindex(split(tmp1,"\\"),0),NULL)
| eval field3=if(tmp1==tmp2,mvindex(split(tmp1,"\\"),1),NULL)
I think REGEX does not need.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello I am not sure what you are asking. Is the question, how many results can the "field1" potentially have? If so, filed1 should not have more than 4 results (i.e. name1, name2, name3, or name4).
I had something similar to what you posted and I was never able to get the DOMAIN to field to extract. I will try what you posted and I will post my results shortly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @garciajbg,
the problem is field, because field 2 and 3 are easy to extract, so: there's a rule to identify field1 (e.g. w limited set of values)?
Anyway, to extract the other fields, try this regex:
(?<field2>\w+)\\(?<field3>[^\/]+)$
that you can check at https://regex101.com/r/DaqLjq/1 .
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if the values in field1 are few (four as you said), you could use two regexes:
the one above to extarct field2 and field3
the following to extract field1
\/\w+\/\w+\/\w+\/(?<field1>localuser|user2|user3|user4)/
Ciao.
Giuseppe
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
