Splunk Search

What would be the regular expression when using rex to match fields that end with a range of values?

dzyfer
Path Finder

What would be the regular expression when using rex to match fields that end with a range of values?

Sample:
"var0":0,"var1":10,"var2":20,"var10":100

I would like to extract fields from var1 to var10, and exclude var0.

Thanks

Labels (4)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

A search time extraction if extract does not do what you want is (from rex statement onwards - first two lines create your sample)

| makeresults
| eval _raw="\"var0\":0,\"var1\":10,\"var2\":20,\"var10\":100"
| rex max_match=0 "\"(?<key>var[1-9]\d*)\":(?<value>[^,]*)"
| foreach 0 1 2 3 4 5 6 7 8 9 [ eval k=mvindex(key, <<FIELD>>), v=mvindex(value, <<FIELD>>), {k}=v ]
| fields - key value k v

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Regex is not needed for this kind of format; extract, aka kv, is sufficient.  If this is in _raw, simply do

| kv kvdelim=":" pairdlim=","

 If it is in a field named "data", you can do

| rename _raw AS temp, data AS _raw
| kv kvdelim=":" pairdlim=","​
| rename _raw as data, temp AS _raw
Tags (1)
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...