Solved: rex to extract field from csv

surekhasplunk · ‎04-05-2018

Hi,

I want to extract below fields
First 5 fields are automatically extracted by splunk witihout any issues. But last 2 fields since they are starting with # symbol didnt get extracted correctly. How can i extract them ?
EmpNo,EmpName,EmpTitle,Region,Country,# completed,#not completed

12345,"Razal,Rafi",Lead Service Specialist,UK,United Kingdom,0,1

My file contnt looks like above line. I surrounded them with double quotes thinking that it will be easy for extraction since i have comma in Name field along with comma as delimiter to look like below.

"12345",""Razal,Rafi"","Lead Service Specialist","UK","United Kingdom","0","1"

Please help me with rex for field extraction. to extract last two fields.

ips_mandar · ‎04-05-2018

Try this regex when other fields are not surrounded by double quotes:

rex ",(?<completed>\d),(?<notCompleted>\d)$"

View solution in original post

logloganathan · ‎04-05-2018

Could you please provide raw event to generate the Regex

ips_mandar · ‎04-05-2018

Try this regex when other fields are not surrounded by double quotes:

rex ",(?<completed>\d),(?<notCompleted>\d)$"

splunker12er · ‎04-05-2018

yoursearch |rex (?P<field1>\w+),(?P<field2>\w+),(?P<field3>\w+),(?P<field4>\w+),(?P<field5>\w+),(?P<field6>\#\s\w+),(?P<field7>\#\w+\s\w+)

surekhasplunk · ‎04-05-2018

Its not working giving me error at field2 as it has got comma inside the name i believe

splunker12er · ‎04-05-2018

Does all your data will have the same comma or only for this particular event?

splunker12er · ‎04-05-2018

try this,

yoursearch |rex '(?P<Emp_No>\d+),(?P<Emp_Name>\S+),(?P<Title>[\w|\s]+),(?P<Region>\w+),(?P<Country>[\w|\s]+),(?P<Completed>\d+),(?P<Not_Completed>\d+)' | table *

splunker12er · ‎04-05-2018

i saved the results here - you can verify below

https://regex101.com/r/ZenZiK/1

splunker12er · ‎04-05-2018

if this help, please vote/ mark as answered//...

🙂
thanks

surekhasplunk · ‎04-09-2018

Thanks you very much @splunker12er and ips_mandar. I just tweaked a little and it worked like magic. i used $ to get the last field and rest like (?P\d) to get the fields.

surekhasplunk · ‎04-05-2018

only for that particular event .. As other events might have 2 commas or might not have comma at all. for that column
Can we just ignore writing rex for those fields as splunk already extracts them well . its just that m more worried about the last 2 fields.

rex to extract field from csv

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

rex to extract field from csv

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem