Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to create a custom Field Extraction

scout29
Path Finder
‎11-08-2023 12:55 PM

I am trying to write a regex to extract a field called "registrar" from some data like i have below. Can you please help how i could write this regex to be used in a rex command to extract the field? Below are three example events:


Registry Date: 2025-10-08T15:18:58Z   Registrar: ABC Holdings, Inc.   Registrar ID: 291  Server Name: AD12

Registry Date: 2025-11-08T15:11:58Z   Registrar: OneTeam, Inc.   Registrar ID: 235  Server Name: AD17

Registry Date: 2025-12-08T15:10:58Z   Registrar: appit.com, LLC   Registrar ID: 257  Server Name: AD14

 

I need the regex to use to extract the field called "registrar"  which in the above example would have the following three value matches:  

ABC Holdings, Inc. 

OneTeam, Inc

appit.com, LLC

 

 

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-08-2023 05:19 PM

Assuming the fields are always in the same order, this should do it.

| rex "Registrar: (?<registrar>.*?) Registar ID"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-08-2023 05:19 PM

Assuming the fields are always in the same order, this should do it.

| rex "Registrar: (?<registrar>.*?) Registar ID"
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

m_pham
Splunk Employee
Splunk Employee
‎11-08-2023 01:29 PM

Try adding this to your search

| rex field=_raw "Registrar ID: (?<registrar_id>\S+)" 

Update: I misread your post, standby for an updated search to include all three field extraction - unless someone else beat me to it. You can also use the "Extract New Fields" or "Event Actions" option when you run your search.

0 Karma
Reply
Solved! Jump to solution

scout29
Path Finder
‎11-08-2023 01:41 PM

i am looking for the field registrar to be extracted. There are three spaces after the registrar string - but i cant seem to write my regex to capture the full registrar name up to the three spaces. I am using this but not getting the full string extracted 

\sRegistrar:\s(?<registrar>\w+\s\w+)

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

m_pham
Splunk Employee
Splunk Employee
‎11-08-2023 01:53 PM

Try this - I'm not the best at regex and someone else may come along and provide a more efficient one.

 

Registrar: (?<registrar>.+[^\s]).+Registrar ID   

 

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...