Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to create a custom Field Extraction

scout29
Path Finder
‎11-08-2023 12:55 PM

I am trying to write a regex to extract a field called "registrar" from some data like i have below. Can you please help how i could write this regex to be used in a rex command to extract the field? Below are three example events:


Registry Date: 2025-10-08T15:18:58Z   Registrar: ABC Holdings, Inc.   Registrar ID: 291  Server Name: AD12

Registry Date: 2025-11-08T15:11:58Z   Registrar: OneTeam, Inc.   Registrar ID: 235  Server Name: AD17

Registry Date: 2025-12-08T15:10:58Z   Registrar: appit.com, LLC   Registrar ID: 257  Server Name: AD14

 

I need the regex to use to extract the field called "registrar"  which in the above example would have the following three value matches:  

ABC Holdings, Inc. 

OneTeam, Inc

appit.com, LLC

 

 

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-08-2023 05:19 PM

Assuming the fields are always in the same order, this should do it.

| rex "Registrar: (?<registrar>.*?) Registar ID"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-08-2023 05:19 PM

Assuming the fields are always in the same order, this should do it.

| rex "Registrar: (?<registrar>.*?) Registar ID"
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

m_pham
Splunk Employee
Splunk Employee
‎11-08-2023 01:29 PM

Try adding this to your search

| rex field=_raw "Registrar ID: (?<registrar_id>\S+)" 

Update: I misread your post, standby for an updated search to include all three field extraction - unless someone else beat me to it. You can also use the "Extract New Fields" or "Event Actions" option when you run your search.

0 Karma
Reply
Solved! Jump to solution

scout29
Path Finder
‎11-08-2023 01:41 PM

i am looking for the field registrar to be extracted. There are three spaces after the registrar string - but i cant seem to write my regex to capture the full registrar name up to the three spaces. I am using this but not getting the full string extracted 

\sRegistrar:\s(?<registrar>\w+\s\w+)

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

m_pham
Splunk Employee
Splunk Employee
‎11-08-2023 01:53 PM

Try this - I'm not the best at regex and someone else may come along and provide a more efficient one.

 

Registrar: (?<registrar>.+[^\s]).+Registrar ID   

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top