- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do you use rex to extract a specific field in ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Can anybody help me extracting from this table with 3 regular expression:
I got a column in Splunk like this and the values between
Custom_Tag (this is the column name which i need to be split into 3 columns Account,AssetOwner,AssetDataStored)
"Key": "Account", "Value": "037395386785"
"Key": "AssetOwner", "Value": "Infrastructure"
"Key": "AssetDataStored", "Value": "InternalUseOnly"
"Key": "Account", "Value": "343254354354"
"Key": "AssetOwner", "Value": "Production"
"Key": "AssetDataStored", "Value": "ExternalUse"
and i need a rex to extract the values into 3 columns when matching the word Account,AssetOwner,AssedDataStored
Tag_Account Tag_AssetOwner Tag_AssetDataStored
037395386785 Infrastructure InternalUseOnly
343254354354 Production ExternalUse
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this should work:
| rex field=Custom_Tag "\"Account\",\s+\"Value\":\s+\"(?<Tag_Account>[^\"]+)"
| rex field=Custom_Tag "\"AssetOwner\",\s+\"Value\":\s+\"(?<Tag_AssetOwner>[^\"]+)"
| rex field=Custom_Tag "\"AssetDataStored\",\s+\"Value\":\s+\"(?<Tag_AssetDataStored>[^\"]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Give a try
| makeresults
| eval Custom_Tag ="\"Key\": \"Account\", \"Value\": \"037395386785\""
| append
[| makeresults
| eval Custom_Tag ="\"Key\": \"AssetOwner\", \"Value\": \"Infrastructure\""]
| append
[| makeresults
| eval Custom_Tag ="\"Key\": \"AssetDataStored\", \"Value\": \"InternalUseOnly\""]
| append
[| makeresults
| eval Custom_Tag ="\"Key\": \"Account\", \"Value\": \"343254354354\""]
| append
[| makeresults
| eval Custom_Tag ="\"Key\": \"AssetOwner\", \"Value\": \"Production\""]
| append
[| makeresults
| eval Custom_Tag ="\"Key\": \"AssetDataStored\", \"Value\": \"ExternalUse\""]
| eval temp = replace(Custom_Tag , "\"|:|Key|Value","")
| makemv delim="," temp
| eval column1 = ltrim(mvindex(temp,0))
| eval column2=ltrim(mvindex(temp,1))
| eval{column1}=column2
| stats list(Account) as Tag_Account,list(AssetDataStored) as Tag_AssetDataStored,list(AssetOwner) as Tag_AssetOwner
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Something like this should work:
| rex field=Custom_Tag "\"Account\",\s+\"Value\":\s+\"(?<Tag_Account>[^\"]+)"
| rex field=Custom_Tag "\"AssetOwner\",\s+\"Value\":\s+\"(?<Tag_AssetOwner>[^\"]+)"
| rex field=Custom_Tag "\"AssetDataStored\",\s+\"Value\":\s+\"(?<Tag_AssetDataStored>[^\"]+)"
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
