Splunk Search

splunk 6.1.2 + extracting values from a field + everything after the last semicolon

Motivator

I have a field with values like this "NENAME1/Some text:romc"

I would like to somethink like this eval field=, but this might not necessarily be the way to do it, to end up with a field like this "romc". So effectively everything after the last :.

What is the best way of achieving this? Do I use rex or is there some other clever way?

0 Karma
1 Solution

Champion

Yes, you can use rex. Here is one example. I'm sure there are better regular expressions to use, but this should give you an idea (not sure if all of your fields will be formatted just like your example)

origfield would be the original field you want to pull the data out of, and newfield would be the result you want.

....| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"

View solution in original post

0 Karma

Champion

Yes, you can use rex. Here is one example. I'm sure there are better regular expressions to use, but this should give you an idea (not sure if all of your fields will be formatted just like your example)

origfield would be the original field you want to pull the data out of, and newfield would be the result you want.

....| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"

View solution in original post

0 Karma

Motivator

could not get that to work I was getting Error in 'rex' command: Encountered the following error while compiling the regex ':(?[^:]+)$': Regex: unrecognized character after (? or (?-

0 Karma

Champion

hmm...I think maybe a posting error on my part, because everyting in the angled brackets is missing.

...| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"

0 Karma

Champion

Ok, apparently I need to read up on how to post correctly on answers ...one more shot

...| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"

0 Karma

Champion

Nope, still no angle brackets.

But essentially after the ? you need a left angle bracket, then the name of the new field you want to use, then a right angle bracket. The rest of the regex should be fine as posted.

Motivator

| eval origfield="NENAME1/Some text:romc" | rex field=origfield ":(?[^:]+)$"

tks very much, where can I play with rex insplunk so I can see what part of the field it is extracting? something like this

0 Karma

Champion

I typically use a site like that to verify my regex is correct before moving onto splunk.

In splunk, you can run the search with your rex command, and then click on the new field you created to see what's in there - either on each event or in the list of fields on the left hand side. You could also pipe your search to table or stats to see what values actually show up there, e.g. ... | stats count by yournewfield

Splunk also has a tool to help you create extractions by highlighting data across multiple events. Expand one of your events, click the Event Actions button and choose Extract Fields: http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma

Motivator

tks, but splunk regex is different, or so it seems to me? I am looking for that field extractor but can't find the one that i have seen on previous versions, similar to this

0 Karma