Splunk Search

How do I extract a field from my raw data using rex?

IRHM73
Motivator

Hi,

I wonder whether someone may be able to help me please.

I'm very new to using Splunk and most certainly to the rex command and regular expressions, so please bear with.

I'm trying to extract a nino field from my raw data which is in the following format "nino\":\"AB123456B\".

Could someone possibly tell me please how I may strip the actual nino number out of this line.

Many thanks and kind regards

Chris

0 Karma
1 Solution

woodcock
Esteemed Legend

This should work:

... | rex "nino[\\\":]*(?<nino>[^\\\":]*)"

View solution in original post

bablucho
Path Finder

Hi All,

I'm trying to achieve the something similar using regular expressions on raw data...

I want to extract the figures at the end of row ESS1. if some-one could help me extract the field and strip out the figures would be great!

ESCO - [57]
ESDC - [82]
ESEM - [170]
ESS1 - [2813]
ESVI - [706]
F421 - [30]

Thanks
Bablucho

0 Karma

MuS
SplunkTrust
SplunkTrust

Try this:

 ... | rex "ESS1 - \[(?<thatfield>[^\]]+)" 

this will create a field called thatfield with the value 2813 based on your provided example.

cheers, MuS

0 Karma

bablucho
Path Finder

Thanks MuS I think this would work though I've just realised when raw data I pasted in didn't include the whites spaces...

ESCO - [57]
ESDC - [82]
ESEM - [170]
ESS1{14whitespaces}-{3whitespaces} [2813]
ESVI - [706]
F421 - [30]

0 Karma

bablucho
Path Finder

I've got it to work with the below

... | rex "ESS1\s\s\s\s\s\s\s\s\s\s\s\s\s\s.\s\s\s[(?[^]]+)"

0 Karma

bablucho
Path Finder

I've got it to work with the below

... |rex "ESS1\s\s\s\s\s\s\s\s\s\s\s\s\s\s.\s\s\s[(?[^]]+)"

0 Karma

woodcock
Esteemed Legend

This should work:

... | rex "nino[\\\":]*(?<nino>[^\\\":]*)"

IRHM73
Motivator

Hi @woodcock, thank you for taking the time to reply to my post, this works great.

Many thanks and kind regards

Chris

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi IRHM73,

if your _raw events really contains the provided example , you can run this rex command:

your base reach here | rex field=_raw ":\\"(?<nino>\w+)\\""

This will match every match any word character [a-zA-Z0-9_] after :\" and puts is into the field called nino

Hope this helps ...

cheers, MuS

IRHM73
Motivator

Hi @MuS, thank you for coming back to me with this I really appreciate it. The format of the nino field was "nino\":\"AB123456B\". But not to worry I've been able to extrcat this using the solution by @woodcock.

Once again sincere thanks for your help.

Many thanks and kind regards

Chris

0 Karma

IRHM73
Motivator

Hi @Mus, thank you for coming back to me with this.

Unfortunately, due to it's sensitive data, I can't send you the raw data, but perhaps if you could explain, what you need I may be able to put something together.

Many thanks and kind regards

Chris

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi there, it is currently not 100% clear if the event looks like this nino":"AB123456B" or like this nino\":\"AB123456B\" can you please confirm if it is either the first or the later one?

0 Karma

otman01
Communicator

Hi, every one,
how can we use rex field=_raw in an input field ? I couldn't make it correctley

0 Karma

MuS
SplunkTrust
SplunkTrust

I suggest to open a new question and provide more details

0 Karma

IRHM73
Motivator

Hi, that's great thank you very much, but could you tell me please how I search for the 'nino' field.

Could you also tell me please, is it possible to search for the field 'nino' specifically because my raw data contains a number of fields with the same "fieldname":"fieldvalue" format.

Many thanks and kind regards

Chris

0 Karma

MuS
SplunkTrust
SplunkTrust

Just add any search or stats command in the next search pipe like this:

your base reach here | rex field=_raw ":\\\"(?<nino>\w+)\\\"" | table nino

or

your base reach here | rex field=_raw ":\\\"(?<nino>\w+)\\\"" | search nino=AB*
0 Karma

IRHM73
Motivator

Hi @MuS, that's great, thank you.

Kind Regards

Chris

0 Karma

MuS
SplunkTrust
SplunkTrust

You're welcome 🙂

0 Karma

IRHM73
Motivator

Hi, @MuS, I'm really very sorry to trouble you with this again.

I've used the 'rex' expression you kindly provided, but unfortunately it doesn't extract the correct data into the table. I've also tried anothe field called 'middleNames' which has the same format as the NINO, so the expression is rex field=_raw ":"(?w+)"" | table middleNames, but it is still not extracting the field value data from the raw text.

Any ideas?

Many thanks and kind regards

Chris

0 Karma

MuS
SplunkTrust
SplunkTrust

please provide some raw event for both fields, use the code mark up CTRL-K to encode any special characters ...

0 Karma

IRHM73
Motivator

Hi @MuS, thank you very much for taking the time to reply to my post.

Unfortunately I can't get this to work, because it returns the error message: Error in 'rex' command: Encountered the following error while compiling the regex ':(?w+)': Regex: unmatched parentheses.

Could you also tell me please, is it possible to search for the field 'nino' specifically because my raw data contains a number of fields with the same "fieldname":"fieldvalue" format.

Many thanks and kind regards

Chris

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...