Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex to extract field from csv

surekhasplunk
Communicator
‎04-05-2018 02:59 AM

Hi,

I want to extract below fields
First 5 fields are automatically extracted by splunk witihout any issues. But last 2 fields since they are starting with # symbol didnt get extracted correctly. How can i extract them ?
EmpNo,EmpName,EmpTitle,Region,Country,# completed,#not completed

12345,"Razal,Rafi",Lead Service Specialist,UK,United Kingdom,0,1

My file contnt looks like above line. I surrounded them with double quotes thinking that it will be easy for extraction since i have comma in Name field along with comma as delimiter to look like below.

"12345",""Razal,Rafi"","Lead Service Specialist","UK","United Kingdom","0","1"

Please help me with rex for field extraction. to extract last two fields.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ips_mandar
Builder
‎04-05-2018 03:26 AM

Try this regex when other fields are not surrounded by double quotes:

rex ",(?<completed>\d),(?<notCompleted>\d)$"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

logloganathan
Motivator
‎04-05-2018 05:36 AM

Could you please provide raw event to generate the Regex

0 Karma
Reply
Solved! Jump to solution
Solution

ips_mandar
Builder
‎04-05-2018 03:26 AM

Try this regex when other fields are not surrounded by double quotes:

rex ",(?<completed>\d),(?<notCompleted>\d)$"
0 Karma
Reply
Solved! Jump to solution

splunker12er
Motivator
‎04-05-2018 03:15 AM 
yoursearch |rex (?P<field1>\w+),(?P<field2>\w+),(?P<field3>\w+),(?P<field4>\w+),(?P<field5>\w+),(?P<field6>\#\s\w+),(?P<field7>\#\w+\s\w+)
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎04-05-2018 04:52 AM

Its not working giving me error at field2 as it has got comma inside the name i believe

0 Karma
Reply
Solved! Jump to solution

splunker12er
Motivator
‎04-05-2018 04:56 AM

Does all your data will have the same comma or only for this particular event?

0 Karma
Reply
Solved! Jump to solution

splunker12er
Motivator
‎04-05-2018 05:21 AM

try this,

yoursearch |rex '(?P<Emp_No>\d+),(?P<Emp_Name>\S+),(?P<Title>[\w|\s]+),(?P<Region>\w+),(?P<Country>[\w|\s]+),(?P<Completed>\d+),(?P<Not_Completed>\d+)' | table *
Reply
Solved! Jump to solution

splunker12er
Motivator
‎04-05-2018 05:23 AM

i saved the results here - you can verify below

https://regex101.com/r/ZenZiK/1

Reply
Solved! Jump to solution

splunker12er
Motivator
‎04-05-2018 05:25 AM

if this help, please vote/ mark as answered//...

🙂
thanks

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎04-09-2018 12:44 AM

Thanks you very much @splunker12er and ips_mandar. I just tweaked a little and it worked like magic. i used $ to get the last field and rest like (?P\d) to get the fields.

0 Karma
Reply
Solved! Jump to solution

surekhasplunk
Communicator
‎04-05-2018 05:14 AM

only for that particular event .. As other events might have 2 commas or might not have comma at all. for that column
Can we just ignore writing rex for those fields as splunk already extracts them well . its just that m more worried about the last 2 fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top