Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

rex help

darkins
Engager
‎11-23-2024 05:38 AM

probably an easy one, i have two events as follows

 

thisisfield1 thisisfield2 mynextfield3

thisisfield1 mynextfield3

meaning in some events field2 exists, in some it doesnt, when it does i want the value and when it doesnt i want it to be blank and all records have mynextfield3 and i always want that as field3

i want rex these lines and end up with

field1               field2              field3

thisisfield1    thisisfield2   mynextfield3

thisisfield1                              mynextfield3

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-24-2024 04:07 AM

It all depends how your fields are delimited/anchored. @marnall 's answer is obvious if you have just two or three words separated by spaces. If your "layout" is different, you have to adjust it.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-24-2024 01:17 AM

Hi @darkins ,

could you share some samples of your logs, highlighting the strings to extract?

Ciao.

Giuseppe

0 Karma
Reply

darkins
Engager
‎11-24-2024 03:50 PM

not sure what else to put, this is what my data looks like

 

thisisfield1 thisisfield2 mynextfield3

thisisfield1 mynextfield3

 

i want these two lines to display as

 

field1               field2              field3

thisisfield1    thisisfield2   mynextfield3

thisisfield1                              mynextfield3

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-24-2024 11:29 PM

Hi @darkins ,

ad also @PickleRick and @marnall said, the regex depends on the log, so it's difficoult to create a regex without some sample.

If you have three words, separated by a space and somethimes there are only two words without any other rule, it's not possible to define a regex; if instead there's some additional rule in the firstfields or in the nextfield, it's possible to identify a regex.

Ciao.

Giuseppe

0 Karma
Reply

darkins
Engager
‎11-24-2024 03:54 PM

i guess the key is i think i need to say that field2 equals everything up to an m PRECEDED by a space?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-25-2024 12:21 AM

The thing is that regex must match your data properly so we can't just "assume" something out of the blue.

You can fiddle with the regex for yourself (and see how and why it works)

https://regex101.com/r/VaY5Qn/1

0 Karma
Reply

marnall
Motivator
‎11-23-2024 05:49 AM

Assuming that field1 and field3 are always at the beginning and end of the line respectively, and assuming that their values do not contain spaces, and assuming they are separated by spaces, you could use this:

^(?<field1>\S+)\s*(?<field2>\S+)?\s(?<field3>\S+)$

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...