Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

within "Extract Fields", how can I start the regular expression with a value from another field?

chgray
New Member
‎09-18-2016 11:49 AM

I have a field 'foo', it has a value like "data1_data2"

I'd like to make an Extracted Field that starts with the contents of 'foo', instead of the entire raw event

is that possible?

Tags (1)
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎09-18-2016 04:17 PM

You may wish to keep in mind that if the field is an auto-extracted field, the extraction in the props.conf will need to be done on the raw data.

In other words if your data looks like:
key=value key2=value3 key3=value3

A field extraction using the "in" keyword in the props.conf file such as:
EXTRACT-field3 = [A-Za-z]+ in key3

Will not work as expected as the key/key2/key3 fields are not index time fields, they are search time only.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

ddrillic
Ultra Champion
‎09-18-2016 02:18 PM

Information about it at - Extract fields using regular expressions

Maybe change -

... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"

to - ... | rex field=foo "From: (?<from>.*) To: (?<to>.*)"

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...