How to write the REGEX to extract and add new fiel...

moiezuddin · ‎03-18-2015

I have a search:

source="/opt/www/logs/nbcucentral/nbcucentral.log"| rex "(?P\w+.\w+@\w+.\w+)" | rex "details (?P\w+)" | rex "(?\d{9})" | stats count by Name, Email, User_ID

It is showing the result of fields Name, Email, sso

Now i need to add some more fields to the existing query..

Fields which i need to add are:
jobTitle
orgName
orgSegment
parentOrgname
userType

Kindly help on it

tachifelix · ‎03-19-2015

use regex command. sommething like this

....| regex jobTitle= "(?P\w+.\w+@\w+.\w+)" | regex orgName=  "details (?P\w+)" | regex orgSegment= "(?\d{9})"|.....

moiezuddin · ‎03-19-2015

Not working tried it.
thanks for the effort

chimell · ‎03-19-2015

Hi moiezuddin
Try this new request

source="/opt/www/logs/nbcucentral/nbcucentral.log" | rex "(?P\w+.\w+@\w+.\w+)" | rex "details (?P\w+)" | rex "(?\d{9})" | stats count by  Name , Email , User_ID | lookup  identity_lookup  sso  OUTPUT  jobTitle  orgName  orgSegment  parentOrgname  userType|table    Name  Email User_ID jobTitle  orgName  orgSegment  parentOrgname  userType sso

Tell me if it work like you want

moiezuddin · ‎03-19-2015

Hi cheimell,

The clear information given at below link

http://answers.splunk.com/answers/221255/how-to-build-a-dashboard-to-show-extracted-email-d.html
(Unable to copy that link some attributes missing so i given aove link)

At the end this link u can able to find one query, (Showing exact result )
to that query i need add some more fields to get result
The fields need to add are jobTitle orgName orgSegment parentOrgname userType

Kindly help on it

kendrickt · ‎03-18-2015

Hi Moiezuddin,

I think you'll find it really beneficial to use Splunks integrated field extractor.

You can literally highlight the fields you want to extract and Splunk will do it for you.

Here's some documentation:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/ExtractfieldsinteractivelywithIFX

I also answered a question about the use of regex in Splunk which will help you here:

http://answers.splunk.com/answers/208288/need-help-with-regex-1.html#answer-207298

This way, you can see how to apply the rex command and you can extract all the fields you want.

Good luck!

moiezuddin · ‎03-18-2015

Hi Kendrickt,
Thanks for your explanation.
The problem is In sample data mentioned fields are not present, so unable to extract field
we have a lookup table name as identity_lookup in which the fields are present.
identity_lookup is present in lookup definition not in automatic lookup
With the help of identity_lookup table can you able to provide me query which can extract the requested fields
Can you help on it

richgalloway · ‎03-18-2015

Please share some sample data so we know where to find the requested fields.

---
If this reply helps you, Karma would be appreciated.

moiezuddin · ‎03-18-2015

HI ,
In sample data mentioned fields are not present
we have a lookup table name as identity_lookup in which the fields are present.
Can you help on it

How to write the REGEX to extract and add new fields to existing search results?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life