Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract text using regex

moayadalghamdi
Path Finder
‎01-12-2022 03:55 AM

hi, i want to extracted the first word from each variable the index has a field called search_name which has these variables:

 

Risk - 24 Hour Risk Threshold Exceeded - Rule
Endpoint - machine with possible malware - fffff
Network - Possible SQL injection - Rule

 

i want to perform a regex to extracted the first word out of each variable so the output would be:

 

risk

endpoint

network

 

 

 

 

thanks ^_^

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-12-2022 04:21 AM

Hi @moayadalghamdi,

please try this regex

| rex "^(?<your_field>\w+)"

that you can test at https://regex101.com/r/vKZmWL/1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

moayadalghamdi
Path Finder
‎01-12-2022 05:22 AM

thanks for the answer ^_^

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-12-2022 04:21 AM

Hi @moayadalghamdi,

please try this regex

| rex "^(?<your_field>\w+)"

that you can test at https://regex101.com/r/vKZmWL/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

moayadalghamdi
Path Finder
‎01-12-2022 05:20 AM

you're really a legend, thanks mate splunker ^_^

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎01-12-2022 05:15 AM

And as you want those with lower cases then add this

| makeresults
| eval _raw ="Risk - 24 Hour Risk Threshold Exceeded - Rule
Endpoint - machine with possible malware - fffff
Network - Possible SQL injection - Rule"
| multikv noheader=t 
``` Above create test data ```
| rex "^(?<result>\w+)"
| eval res = lower(result)
| table res result _raw

r. Ismo 

Reply
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...