Re: Split square bracket expression

drogo · ‎08-28-2023

Hi,

I want to separate out below fields in table format.

Raw = Namespace [com.sampple.ne.vas.events], ServiceName [flp-eg-cg], Version [0.0.1], isActive [true], AppliationType [EVENT]

Query I am using =
| eval Namespace=mvindex(split(mvindex(split(_raw, "Namespace "),1),"],"),1)
| eval ServiceName=mvindex(split(mvindex(split(_raw,"ServiceName "),1),"],"),0)
| eval Version=mvindex(split(mvindex(split(_raw,"Version "),1),"],"),0)
| stats latest(Namespace) as Namespace latest(ServiceName) as ServiceName latest(Version) as Version by host
| sort -Version

Expected result

Host	AppName	ServiceName	Version

drogo · ‎08-28-2023

@hanks @richgalloway this help

ITWhisperer · ‎08-28-2023

| rex max_match=0 "(?<keyvalue>\w+\s\[[^\]]+)"
| mvexpand keyvalue
| rex field=keyvalue "(?<key>\w+)\s\[(?<value>[^\]]+)"
| eval {key}=value
| fields - keyvalue key value
| stats values(*) as * by _raw

drogo · ‎08-28-2023

Thanks @ITWhisperer

richgalloway · ‎08-28-2023

It would help to know what results your query returned and why those results aren't good enough.

I prefer the rex command for extracting fields. The regular expressions below look for the given keyword then extract what's between the following square brackets.

| rex "Namespace \[(?<Namespace>[^\]]+)"
| rex "ServiceName \[(?<ServiceName>[^\]]+)"
| rex "Version \[(?<Version>[^\]]+)"
| stats latest(Namespace) as Namespace latest(ServiceName) as ServiceName latest(Version) as Version by host
| sort -Version

---
If this reply helps you, Karma would be appreciated.

Split square bracket expression: How to separate out below fields in table format?

fields

other

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?