Splunk Search

Why is only the first word of the value is getting extracted?

KyleMcDougall
Explorer

Hello!

I'm trying to pull in full product names into a table, but only the first word is getting pulled in. 

The field name is Product.

Example products are:

  • Cash product
  • Cash connections
  • Checking app
  • Checking cash product

When I create the table, I only see "Cash" or "Checking" as the product names instead of the full name. I can't figure out how to do a rex command to help solve this. (Or some other way to solve for it.)

Maybe something like this? I'm just guessing. 

 

"(Cash|Checking)\s[a-z]\w*"

 


Appreciate any help!

 

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

So, to clarify, your event is all on one line (no newline characters in the actual event)?

| rex "account_lookup__product_name=(?<product_name>[\w\s]+)\s+[\w]+="

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Can you give some sample events from which you are trying to extract the product field?

0 Karma

KyleMcDougall
Explorer

This is a typical event. 

 

 

account_lookup__level=|||| 
account_lookup__has_contacts_id=true 
account_lookup__premium=false 
account_lookup__intent_pred=buy_product
account_lookup__intent_pred_score=0.66920596
account_lookup__intent_pred_utterance=buy a product
account_lookup__is_accountant=false 
account_lookup__product_family=PAYMENTS 
account_lookup__product_name=Cash product
account_lookup__score_success=true 
account_lookup__success=true

 

 

 And here's my table query

 

 

| table account_lookup__product_name _time

 

 

Which shows as 

 

 

Cash | 2022-05-09 14:23:29

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "account_lookup__product_name=(?<account_lookup__product_name>.*)"
0 Karma

KyleMcDougall
Explorer

I'm still having some trouble.  Here's my current query. 

| rename account_lookup__product_name as product
| table product
| rex "product=(?<product>.*)"

 I've tried moving the rex command before the table, but then the entire event log shows in the table.

I also tried doing this without the rename parameter, but it said the rex name is too long. (The actual field name is much longer than what I'm showing here - I omitted some words for security purposes.)

Regex: subpattern name is too long (maximum 32 characters).

 

0 Karma

KyleMcDougall
Explorer

This query seems like it's the best version so far. The product name shows as the first phrase in every line in the table, but the rest of the event is showing after the product name. I think I need to specific a word count or something.

| eval account_lookup__product_name = product_name
| rex "product_name=(?<product_name>.*)"
| table product_name

Here's one line from the table:

Cash product account_lookup__product_name__product_score=0.4215 account_lookup__product_name__score_success=true account_lookup__product_name__success=true

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

So, to clarify, your event is all on one line (no newline characters in the actual event)?

| rex "account_lookup__product_name=(?<product_name>[\w\s]+)\s+[\w]+="
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...