Solved: how to take the three values from one field result...

loudainmarc · ‎05-15-2017

hi, my search is:
sourcetype:sys src_ip_groupname=list1 OR src_ip_groupname=list2 | table src_ip dest_ip src_ip_groupname
The problem is that src_ip_groupname has eg: IANA Reserved, CountryX,list1.
so my | table src_ip dest_ip src_ip_groupname is:
IP-1 IP-2 IANA Reserved,CountryX,list1
IP-3 IP-4 CountryY,list2
What i want is to | table src_ip dest_ip Assigned Country List
IP-1 IP-2 IANA Reserved CountryX list1
IP-3 IP-4 - CountryY list2
Thank you for help

dineshraj9 · ‎05-15-2017

Try extraction these fields with optional condition this way -

sourcetype:sys src_ip_groupname=list1 OR src_ip_groupname=list2 | rex field=src_ip_groupname "((?<Assigned>[^\,]+)\,)?(?<Country>[^\,]+)\,(?<List>[^\,]+)" | fillnull value="-" Assigned | table src_ip dest_ip Assigned Country List

View solution in original post

dineshraj9 · ‎05-15-2017

Try extraction these fields with optional condition this way -

sourcetype:sys src_ip_groupname=list1 OR src_ip_groupname=list2 | rex field=src_ip_groupname "((?<Assigned>[^\,]+)\,)?(?<Country>[^\,]+)\,(?<List>[^\,]+)" | fillnull value="-" Assigned | table src_ip dest_ip Assigned Country List

loudainmarc · ‎05-31-2017

absolutely majestic dineshraj thank you very much

how to take the three values from one field result and table them

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!