Splunk Search

Field Extraction from Regex

tmarlette
Motivator

So I am relatively new to extracting fields in Splunk, but I have some knowledge of regex, and I'm attempting to apply it in Splunk.

I have a pattern I am attempting to extract and put into a field. The pattern looks like this:

USER@TEST 

I am using this expression to match the pattern:

(\w+@\w+)

I would like to extract this into a field called "user_domain", and I'm having some difficulty renaming (\w+@\w+) as "user_domain".

PS... this forum doesn't show forward slashes, however they are there. 😃

1 Solution

Ayn
Legend

What ways did you try? You could make use of the rex command, like this:

... | rex "(?<user_domain>\w+@\w+)"

Or you could make this kind of extraction permanent by using the interactive field extractor (http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample ).

View solution in original post

yannK
Splunk Employee
Splunk Employee

By curiosity, are you trying to extract apache logs or IIS logs ?

Existing sourcetypes provide automatic extraction :

tmarlette
Motivator

It does happen automagically, but you can make any sourcetype extract the same fields with the transform. start taking a look at props.conf, and transforms.conf for general iis field extractions.

0 Karma

tmarlette
Motivator

Negative yannK, These are proprietary log messages that I'm attempting to scrub.

But to make sure I understand you correctly, because we do have apache and iis logs here as well, if I name my sourcetype "access_combined" and send my iss / apache logs there, Splunk will extract a set of fields auto-magically?

0 Karma

yannK
Splunk Employee
Splunk Employee

yes, some sourcetypes are defined and provide automatic field extractions. look for : syslog, access_combined and apache_errors ...

see http://docs.splunk.com/Documentation/Splunk/4.3.2/Data/Listofpretrainedsourcetypes

0 Karma

Ayn
Legend

What ways did you try? You could make use of the rex command, like this:

... | rex "(?<user_domain>\w+@\w+)"

Or you could make this kind of extraction permanent by using the interactive field extractor (http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample ).

tmarlette
Motivator

Actually... I didn't try that at all.

<--- Shamed

| rex "(?\w+@\w+)"
that worked splendidly, thank you!

I did try the interactive extractor though, but it won't extract everything I needed it to.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...