Hi @ ITWhisperer,

I have updated the question with some mock samples.

How is this data coming into splunk? Are the comma-separated lines? Is it XML? Is it JSON? Can you share the raw data (anonymised)? That is, you share it is a format that rex can be applied to?

Hi @ ITWhisperer,

Data is from flat/txt logfiles.

Fields are delimited by pipe "|".

Data is in below format:

2020-09-22 17:46:59,092|INFO|SVCRESP|clientid123|SEE|ABC|ECM|INFO|0000000000|1.1.1.1|123456789|202011|05|2|SUCCESS|TEST|sampleserver.com|default task-7|10|9999999999

The highlighted "clientid123" is what I match on using a lookup that contains client account information.

If client id is clientid123 then lookup correlation in search brings in client info as well as associated cosigner/account holder. This client and co-account holder names come in the combination in screenshots in question and I need to break them down/extracted into new fields using rex in a clean format. 

OK if I understand correctly

-- your search
| lookup accountfile clientId

This will add PRIMARY, PRIMARYMIDDLE, PRIMARYLAST,  SECONDARYFIRST  SECONDARYMIDDLE  and SECONDARYLAST fields to your event (from the file). I am assuming the lookup file is correctly formatted for this already or is that the issue?

Is this what is already happening? What more do you need?

Hi @ ITWhisperer,

Th analogy you mentioned for search is correct and thats what I am using BUT The only fields lookup has is clientID, Primary and Secondary names. These names are not broken down into First, Middle and Last for both Primary and Secondary.

Look has only below:

ClientID, PrimaryName,SecondaryName

That breakdown is what I need for both Primary and Secondary names as shown in the snapshots attached in original question.

So you want a regex that will take a name (PrimaryName or SecondaryName) and split it into First, Middle and Last? How do you distinguish between names which have first and middle only and first and last only?

That's correct. I need regex that will take a name (PrimaryName or SecondaryName) and split it into First, Middle and Last?

As per question about how to distinguish between names which have first and middle only and first and last only; they are still under Primary/Secondary for each. So as far as Primary and Secondary are broken down, it looks like that all will be broken down fine wouldn't they?  

Given your example data, some people have two last names (and no middle name), some people have two middle names, some people have two first names and a middle name/initial. if you took the name and split it by spaces into its constituent parts, and I guess there could be more than 4 although your examples don't show any, it might be possible to construct a number of options.

Hi @ ITWhisperer,

That is exactly what I am dealing with.