I am using rex to split an existing field,can I use the same rex in IFX ?
| rex field="External ID" "(?.*)_"
I want to save the field1 in IFX .I went to settings-->fields---> Field extractions---->new--->selected sourcetype and used inline
But it was not showing up in the search
Hi vrmandadi,
Please use Code Sample (button with numbers) to show your regexes, I cannot see them.
Anyway, in IFX you can insert field="External ID" in IFX putting it at the end of the regex, in other words (I cannot use your regex because I cannot see it):
(?<External_ID>.*)_ in "External ID"
I'd prefer (if possible) to rename field dropping spaces
(?<External_ID>.*)_ in External_ID
Bye.
Giuseppe
This was the rex I was using
| rex field="External Video ID" "(?.*)_"
Hi vrmandadi,
sorry if I repeat: I cannot see your regex, please use Code Sample!
Anyway the condition field="External Video ID" can be reproduced in IFX adding after the regex in <fieldname>
, see the following example:
(?<External_ID>.*)_ in External_ID
In addition I suggest to not use spaces in field names, you can use field names with spaces at the end of your search using rename.
Bye.
Giuseppe
Hi vrmandadi,
I didn't understand why, but there a delay between field creation and availability in searches!
In addition, beware to spaces in the regex when you copy it.
Bye.
Giuseppe
Hello @cusello
yup I am aware of that it takes time but is there a problem with the quotes when placing in IFX
I just placed "External ID" (?.*)_ in the ifx bu the rex has something like this
| rex field="External ID" "(?.*)_"
If you can make your regex work with _raw field (by changing it), then you can save it with settings-->fields---> Field extractions---->new
. If not, you'd need to setup field transform, so that you can use other available field.
This is the sample event
RSN,interstitial/live_rsn_desktop_live ,Autozone/RSN_RSN_372462,Autozone/RSN_900014269,DIGITAL- 4Q17-2Q18 NBA Lakers Streaming_101917-042218_Live Stream,Autozone/RSN_ZONA1801_RSN,RSN APP,73369465,RSNAPP_LIVE,XXXXXXXXXXXX Network,Autozone/RSN_RSN_Live Stream,2/15/2018,620
I am trying to extract the one in bold
Is it always found in the 3rd last value in your raw data?? If yes, out of Autozone/RSN_RSN_Live Stream
which part is (currently) extracted as "External ID" and which part should be your new field?
Meanwhile give this regex a try
^([^,]+,){10}(?<YourNewField>([^_]+_)+)
This did not work,cant we extract from existing field and save it as new field?
Nope,It is different for some events,I "External ID" has values like
ID_LIVE
MS_LIVE
RTS_LIVE
TT_LIVE
HG_LIVE
Cp_LIVE
I am trying to extract a new field called field removing the part after _ like ID,MS,TT,HG
How is the field "External ID" extracted?? Do it's value always ends with _LIVE??
So its a csv file and it extracts that automatically as it is in the header and not all values end with _LIVE
Ok.. One final question, how is CSV field extraction setup, at search-time (using KV_MODE=csv) OR at indexed-time (INDEXED_EXTRACTIONS=csv )? You can see the order in which a search time field extraction setting is applied here. http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Searchtimeoperationssequence#Search-time...
The field transforms (using which you can extract a field out of existing field) is executed before the KV_MODE field extraction so your "External ID" will not be available to field transform if "External ID" is extracted via KV_MODE.
In that case, I think you can do your extraction using it by using calculated fields which are done after KV_MODE or automatic field extractions. Follow instructions from below link
http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/CreatecalculatedfieldswithSplunkWeb
and use following a eval expression: replace('External ID',"(.+)_(.+)","\1")
I used INDEXED_EXTRACTIONS=csv ,so should I try uploading the csv again and change it to KV_MODE=CSV and then use it
You can test with INDEXED_EXTRACTIONS itself. Try both calculated fields and field transforms method.
I did not see field="External ID"
😕 @somesoni2 answer will do .
sorry for the confusion @mayur98
I just placed "External ID" (?.*)_ in the ifx but the rex has something like this
| rex field="External ID" "(?.*)_"