Hi Splunker!
I have some trouble extracting values.
for example,
fruits
apple (blah blah blah)
apple (blah2 blah2 blah2)
apple (blah3 blah3 blah3)
melon (blah blah blah)
melon (blah1 blah2 blah3)
orange (blah blah blah)
peach (blah blah blah)
so I want to extract values as below
apple
melon
orange
peach
I tried to use
eval fruit = if('fruit' like "apple%", "apple", if('fruit' like "melon%", "melon", if('fruit' like "orange%", "orange", if('fruit' like "peach%", "peach", 'fruit')))
It was successful, but too inefficient when there are too much values.
Can I extract the values using 'rex mode=sed' ?
or Do you have another way to extract values?
Please Help me Splunker!
Hi hhlee,
based on your provided samples, you can use a simple rex search command like this:
your base search here | rex "^(?<myFruit>\w+)\s" | ...
This will create a new field called myFruit
, if you need that field often set it up as automatic field extraction like written in the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Managesearch-timefieldextractions
The rex mode=sed
is mainly used to replace character or character substitution.
hope this helps ...
cheers, MuS
Hi hhlee,
based on your provided samples, you can use a simple rex search command like this:
your base search here | rex "^(?<myFruit>\w+)\s" | ...
This will create a new field called myFruit
, if you need that field often set it up as automatic field extraction like written in the docs http://docs.splunk.com/Documentation/Splunk/6.2.1/Knowledge/Managesearch-timefieldextractions
The rex mode=sed
is mainly used to replace character or character substitution.
hope this helps ...
cheers, MuS
thank you for your help! it works well 🙂
I haven't used SED for rex, however it is full supported according to docs.
.... | rex field=ccnumbers mode=sed "s/(\d{4}-){3}/XXXX-XXXX-XXXX-/g"
That should work.
thank you for your help 🙂