Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

rex help

darkins
Engager
‎11-23-2024 05:38 AM

probably an easy one, i have two events as follows

 

thisisfield1 thisisfield2 mynextfield3

thisisfield1 mynextfield3

meaning in some events field2 exists, in some it doesnt, when it does i want the value and when it doesnt i want it to be blank and all records have mynextfield3 and i always want that as field3

i want rex these lines and end up with

field1               field2              field3

thisisfield1    thisisfield2   mynextfield3

thisisfield1                              mynextfield3

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-24-2024 04:07 AM

It all depends how your fields are delimited/anchored. @marnall 's answer is obvious if you have just two or three words separated by spaces. If your "layout" is different, you have to adjust it.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-24-2024 01:17 AM

Hi @darkins ,

could you share some samples of your logs, highlighting the strings to extract?

Ciao.

Giuseppe

0 Karma
Reply

darkins
Engager
‎11-24-2024 03:50 PM

not sure what else to put, this is what my data looks like

 

thisisfield1 thisisfield2 mynextfield3

thisisfield1 mynextfield3

 

i want these two lines to display as

 

field1               field2              field3

thisisfield1    thisisfield2   mynextfield3

thisisfield1                              mynextfield3

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-24-2024 11:29 PM

Hi @darkins ,

ad also @PickleRick and @marnall said, the regex depends on the log, so it's difficoult to create a regex without some sample.

If you have three words, separated by a space and somethimes there are only two words without any other rule, it's not possible to define a regex; if instead there's some additional rule in the firstfields or in the nextfield, it's possible to identify a regex.

Ciao.

Giuseppe

0 Karma
Reply

darkins
Engager
‎11-24-2024 03:54 PM

i guess the key is i think i need to say that field2 equals everything up to an m PRECEDED by a space?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-25-2024 12:21 AM

The thing is that regex must match your data properly so we can't just "assume" something out of the blue.

You can fiddle with the regex for yourself (and see how and why it works)

https://regex101.com/r/VaY5Qn/1

0 Karma
Reply

marnall
Motivator
‎11-23-2024 05:49 AM

Assuming that field1 and field3 are always at the beginning and end of the line respectively, and assuming that their values do not contain spaces, and assuming they are separated by spaces, you could use this:

^(?<field1>\S+)\s*(?<field2>\S+)?\s(?<field3>\S+)$

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...