Solved: how to extract data after a colon

joyce1018 · ‎02-05-2015

example

[dto=forename: "abcforename"
surname: "abcsurname" ..................]

I want to extract the forename and surname ,
and let them combine as a field USER

how?

MANY THX.

ramdaspr · ‎02-05-2015

You would have to tune the regex to match your requirement but the query would be somewhat like below

.. | rex field=fieldnamehere "dto\=forename\:\s\"(?<fname>\w+)\"\ssurname\:\s\"(?<sname>\w+)\"" | eval merged=fname." ".sname

ramdaspr · ‎02-05-2015

You would have to tune the regex to match your requirement but the query would be somewhat like below

.. | rex field=fieldnamehere "dto\=forename\:\s\"(?<fname>\w+)\"\ssurname\:\s\"(?<sname>\w+)\"" | eval merged=fname." ".sname

esix_splunk · ‎02-05-2015

Use a multiline rex.. This will capture everything in the "..".

search.... | rex field=_raw "^\[dto=forename\:\s\"(?<fname>.*)\"\nsurname\:\s\"(?<lastname>.*)\"" | table forename lastname

Another option would be to use props, set your sourcetype with linemerge=false, and define your event boundaries.

how to extract data after a colon