Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract fields in specific position

marco_massari11
Communicator
‎12-15-2020 06:12 AM

Hi,

I have some logs like this:

fields ............................................. Location=Location#All Locations#Site#City#E-MY-SIT-00-XYZ#TEST, fields..........................

So I need to extract for example E-MY-SIT-00-XYZ from Location field. The string E-MY-SIT-00-XYZ could be different but the schema is always 1Letter-2letters-3letters-2numbers-3letters. Can you help me to extract the string?

Thank you in advance

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-15-2020 06:25 AM

Hi @marco_massari11,

if you already extracted the location field, you can restrict the regex to the content of this field instead to the full event.

Then you have to create a regex that matches the rule of your field to extract:

  • letters are \w
  • numbers are \d
  • the other chars are the same (e.g. "-") or eventually escaped (e.g. you have to escape = or ")")

in other words, you have to try something like this:

| rex field=Locatioon "(?<your_field>\w-\w\w-\w\w\w-\d\d-\w\w\w#\w\w\w\w)"

regex that you can test at https://regex101.com/r/esbM8c/1

If you're not sure about the number of digits or letters, you can use the repeter in this way:

| rex field=Location "(?<your_field>\w-\w+-\w+-\d+-\w+#\w+)"

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎12-15-2020 06:25 AM

Hi @marco_massari11,

if you already extracted the location field, you can restrict the regex to the content of this field instead to the full event.

Then you have to create a regex that matches the rule of your field to extract:

  • letters are \w
  • numbers are \d
  • the other chars are the same (e.g. "-") or eventually escaped (e.g. you have to escape = or ")")

in other words, you have to try something like this:

| rex field=Locatioon "(?<your_field>\w-\w\w-\w\w\w-\d\d-\w\w\w#\w\w\w\w)"

regex that you can test at https://regex101.com/r/esbM8c/1

If you're not sure about the number of digits or letters, you can use the repeter in this way:

| rex field=Location "(?<your_field>\w-\w+-\w+-\d+-\w+#\w+)"

Ciao.

Giuseppe

Reply
Solved! Jump to solution

marco_massari11
Communicator
‎12-15-2020 06:41 AM

Hi @gcusello ,

Thank you so much for your help. It works perfectly.

Ciao

Marco

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...