Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do i create a regular expression to extract a particular field from comma separated log entry regardless of its length

shobithk
New Member
‎02-21-2017 07:35 AM

Can u help we with below.

I would like to create regular expression to extract a particular field from comma separated log entry regardless of its length.

Log entry sample

2017-02-21 14:25:59,2017-02-21 14:25:59,0.000,101.214.24.6,17.28.191.41,45604,22,TCP,.A....,0,0,1,52,0,0,151129516,151129615,0,0,0,0,0,0,72.128.190.41,0.0.0.0,0,0,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0, 0.000, 0.000, 0.000,72.128.157.2,1/2,2,2017-02-21 14:26:00.535

Above log entry is a single linke and has multiple fields which is is comma separated. I would like to extract the field which is marked in BOLD. That is next hop IP for netflow logs.
Basically i would like to only extract the '45th' field in this log entry, regardless of variable data lengths from each fields or type of data.

Can u pls help. I tried while extracting fields and let splunk to do it, but when the data size varies, splunk fails to detect certain fields.

0 Karma
Reply

puneethgowda
Communicator
‎03-03-2017 04:05 AM

HI

Event

2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@

How do i delimit by @$@

0 Karma
Reply

koshyk
Super Champion
‎03-04-2017 04:02 PM 
 | makeresults | eval key=" 2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@" |  rex mode=sed field=key "s/\@\$\@/,/g"| rex field=key "^([^,]*,){5}(?<next_hop_IP>[^,]*)" | table key,next_hop_IP

In above case I have converted "@$@" to comma and then split based on same logic. Have a try using above for getting the 6th field

0 Karma
Reply

puneethgowda
Communicator
‎03-05-2017 02:36 AM

In few events we have , inside fields

0 Karma
Reply

somesoni2
Revered Legend
‎02-21-2017 08:03 AM

If your next hop IP is always 45th segment (comma as separator), then try this

your base search | rex "^([^,]+,){44}(?<next_hop_IP>[^,]+)"
Reply

puneethgowda
Communicator
‎03-03-2017 09:24 PM

Hi somesoni

We want to use regular expression to extract below Even

Based on 1st accuranc of @$@ will be first column and 2 ND accuranc will be 2nd column like that many fields need to be extracted
2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@

How do i delimit by @$@
2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@

How do i delimit by @$@

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...