Splunk Search

Spliting single filed into multiple fields based on different delimiters

JP
Explorer

Hi,

I have the following value in a field which needs to be split into multiple fields,

Classname: 

abc.TestAutomation.NNNN.Specs.Prod/NDisableTransactionalAccessUsers.#()::TestAssembly:abc.TestAutomation

Required output:

Productname : abc.TestAutomation.NNNN.Specs.Prod

Feature name : NDisableTransactionalAccessUsers

Project : TestAssembly:abc.TestAutomation

I have been trying to extract the values into my fields using REX command, but I am failing.

source="Reports.csv"  index="prod_reports_data" sourcetype="ReportsData"                                                      |rex "classname(?<Productname>/*)\.(?<Featurename>#*)\.(?<Project>.*)" |table classname Productname Featurename Project

While I execute this command, there are no results.  I am very new to Splunk, can someone guide. 

Thanks.

Labels (2)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

You are getting there, have a look at this query - past the entire query into your search window and you can see how the rex statement works.

| makeresults 
| eval classname="abc.TestAutomation.NNNN.Specs.Prod/NDisableTransactionalAccessUsers.#()::TestAssembly:abc.TestAutomation" 
| rex field=classname "(?<Productname>[^/]*)\/(?<Featurename>[^#]*)#\(\)::(?<Project>.*)" 
| table classname Productname Featurename Project

Note that the regex syntax [^/]* is saying 'find me all characters that are NOT / - different to the way you had written it.

The delimiter #():: is specified as it, but you could do that differently if you expect something different.

I was not sure if classname was a field and whether it was C or c, but hopefully you get the picture.

Hope this helps.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

You are getting there, have a look at this query - past the entire query into your search window and you can see how the rex statement works.

| makeresults 
| eval classname="abc.TestAutomation.NNNN.Specs.Prod/NDisableTransactionalAccessUsers.#()::TestAssembly:abc.TestAutomation" 
| rex field=classname "(?<Productname>[^/]*)\/(?<Featurename>[^#]*)#\(\)::(?<Project>.*)" 
| table classname Productname Featurename Project

Note that the regex syntax [^/]* is saying 'find me all characters that are NOT / - different to the way you had written it.

The delimiter #():: is specified as it, but you could do that differently if you expect something different.

I was not sure if classname was a field and whether it was C or c, but hopefully you get the picture.

Hope this helps.

 

JP
Explorer

Thank you! Works perfect for my requirement.

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...