Splunk Search

splunk 6.1.2 + extracting values from a field + everything after the last semicolon

HattrickNZ
Motivator

I have a field with values like this "NENAME1/Some text:romc"

I would like to somethink like this eval field=, but this might not necessarily be the way to do it, to end up with a field like this "romc". So effectively everything after the last :.

What is the best way of achieving this? Do I use rex or is there some other clever way?

0 Karma
1 Solution

maciep
Champion

Yes, you can use rex. Here is one example. I'm sure there are better regular expressions to use, but this should give you an idea (not sure if all of your fields will be formatted just like your example)

origfield would be the original field you want to pull the data out of, and newfield would be the result you want.

....| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"

View solution in original post

0 Karma

maciep
Champion

Yes, you can use rex. Here is one example. I'm sure there are better regular expressions to use, but this should give you an idea (not sure if all of your fields will be formatted just like your example)

origfield would be the original field you want to pull the data out of, and newfield would be the result you want.

....| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"

0 Karma

HattrickNZ
Motivator

could not get that to work I was getting Error in 'rex' command: Encountered the following error while compiling the regex ':(?[^:]+)$': Regex: unrecognized character after (? or (?-

0 Karma

maciep
Champion

hmm...I think maybe a posting error on my part, because everyting in the angled brackets is missing.

...| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"

0 Karma

maciep
Champion

Ok, apparently I need to read up on how to post correctly on answers ...one more shot

...| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"

0 Karma

maciep
Champion

Nope, still no angle brackets.

But essentially after the ? you need a left angle bracket, then the name of the new field you want to use, then a right angle bracket. The rest of the regex should be fine as posted.

HattrickNZ
Motivator

| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"

tks very much, where can I play with rex insplunk so I can see what part of the field it is extracting? something like this

0 Karma

maciep
Champion

I typically use a site like that to verify my regex is correct before moving onto splunk.

In splunk, you can run the search with your rex command, and then click on the new field you created to see what's in there - either on each event or in the list of fields on the left hand side. You could also pipe your search to table or stats to see what values actually show up there, e.g. ... | stats count by yournewfield

Splunk also has a tool to help you create extractions by highlighting data across multiple events. Expand one of your events, click the Event Actions button and choose Extract Fields: http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma

HattrickNZ
Motivator

tks, but splunk regex is different, or so it seems to me? I am looking for that field extractor but can't find the one that i have seen on previous versions, similar to this

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...