erex or IFE with comma

tb5821 · ‎11-22-2013

How do I use the IFA or even better erex and specify mutiple values that contain a comma? I've tried putting them in quotes etc but doesn't seem to work.

I really just trying to extract a date from our logs which starts with the year and ends in 00

lguinn2 · ‎04-28-2015

When doing field extraction, Splunk may look at fields containing commas as "multi-valued" fields - or not, depending on your configuration.

erex might not be a good choice for dealing with this, because it uses commas to separate the sample values. For the example that @garywiner provided, this will work

yoursearchhere
| rex field=_raw "Name=(?<lastname>.+?)\,(?<firstname>.+?)\;"

This creates two fields, lastname and firstname... You could use a similar regular expression in a props.conf EXTRACT to make these fields permanent.

lguinn2 · ‎11-23-2013

Can you post an example of the data that you are working with - and how the field should be extracted? I think this would be easier with a concrete example.

BTW, I think you mean the IFX (Interactive Field Extractor).

garywiner · ‎04-27-2015

Same question, but something even simpler. The field contains "lastname,firstname".
Name=IDAHO,DUNCAN;
Name=JONES,JOHN;

erex or IFE with comma

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability