Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What would be the regular expression when using rex to match fields that end with a range of values?

dzyfer
Path Finder
‎09-25-2022 08:47 PM

What would be the regular expression when using rex to match fields that end with a range of values?

Sample:
"var0":0,"var1":10,"var2":20,"var10":100

I would like to extract fields from var1 to var10, and exclude var0.

Thanks

Labels (4)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-25-2022 10:06 PM

A search time extraction if extract does not do what you want is (from rex statement onwards - first two lines create your sample)

| makeresults
| eval _raw="\"var0\":0,\"var1\":10,\"var2\":20,\"var10\":100"
| rex max_match=0 "\"(?<key>var[1-9]\d*)\":(?<value>[^,]*)"
| foreach 0 1 2 3 4 5 6 7 8 9 [ eval k=mvindex(key, <<FIELD>>), v=mvindex(value, <<FIELD>>), {k}=v ]
| fields - key value k v

 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-25-2022 09:39 PM

Regex is not needed for this kind of format; extract, aka kv, is sufficient.  If this is in _raw, simply do

| kv kvdelim=":" pairdlim=","

 If it is in a field named "data", you can do

| rename _raw AS temp, data AS _raw
| kv kvdelim=":" pairdlim=","​
| rename _raw as data, temp AS _raw
Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...