Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What would be the regular expression when using rex to match fields that end with a range of values?

dzyfer
Path Finder
‎09-25-2022 08:47 PM

What would be the regular expression when using rex to match fields that end with a range of values?

Sample:
"var0":0,"var1":10,"var2":20,"var10":100

I would like to extract fields from var1 to var10, and exclude var0.

Thanks

Labels (3)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-25-2022 10:06 PM

A search time extraction if extract does not do what you want is (from rex statement onwards - first two lines create your sample)

| makeresults
| eval _raw="\"var0\":0,\"var1\":10,\"var2\":20,\"var10\":100"
| rex max_match=0 "\"(?<key>var[1-9]\d*)\":(?<value>[^,]*)"
| foreach 0 1 2 3 4 5 6 7 8 9 [ eval k=mvindex(key, <<FIELD>>), v=mvindex(value, <<FIELD>>), {k}=v ]
| fields - key value k v

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-25-2022 09:39 PM

Regex is not needed for this kind of format; extract, aka kv, is sufficient.  If this is in _raw, simply do

| kv kvdelim=":" pairdlim=","

 If it is in a field named "data", you can do

| rename _raw AS temp, data AS _raw
| kv kvdelim=":" pairdlim=","​
| rename _raw as data, temp AS _raw
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...