Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex field

Azwaliyana
Path Finder
‎11-15-2021 06:01 AM

I want to extract the Country and the Node. When I use the rex in regex101, it works fine. But when I put it on Splunk search, it did not extract the Country and the Node. Do you guys know where is my mistake?

fortinet.PNG

This is my search query.

 

 

index="maxis_csaroam_index" source="/home/csaops/csaroam/*_MOS.csv" 
| dedup Description
| table Description
| rex field=Description "(?<Country>[\w]+)(?<Node>[\w\- ]*\n)"

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-15-2021 06:46 AM

Try without the newline in the match

| rex field=Description "(?<Country>[\w]+)(?<Node>[\w\- ]+)"

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-16-2021 06:16 AM

Give this a try (avoided using dedup command as well, best practice)

index="maxis_csaroam_index" source="/home/csaops/csaroam/*_MOS.csv" 
| stats count by Description
| table Description
| rex field=Description "(?<Country>\S+)\s+(?<Node>\S+)"
0 Karma
Reply
Solved! Jump to solution

bhargavi
Path Finder
‎11-15-2021 08:54 AM

Hi @Azwaliyana ,

Try this.

| rex field=Description "(?<Country>\w+)\s(?<Node>\w*\-?\w+)"

 

bhargavi_0-1636995231697.png

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-15-2021 06:46 AM

Try without the newline in the match

| rex field=Description "(?<Country>[\w]+)(?<Node>[\w\- ]+)"
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...