- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Data filtration at field level using SED option
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am new to splunk.. I want to filter data at fields level instead of event levels before indexing my data. data is pipe(|) separated.
I need only few fields from below data, remaining fields are not required.
Example::
event1- 123|field1|field2|field3|field4|field5|field6|field7|field8|field9|field10|field11|field12
event2- 234|field1|field2|field3|field4|field5|field6|field7|field8|field9|field10|field11|field12
event3- 456|field1|field2|field3|field4|field5|field6|field7|field8|field9|field10|field11|field12
Desired output::
event1- 123|field3|field6|field11
event2- 234|field3|field6|field11
event3- 456|field3|field6|field11
Please suggest me the proper regex which works with SED option in props.conf file to extract only these fields.
Thanks in advance...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For demonstration:
| makeresults
| eval raw="123|field1|field2|field3|field4|field5|field6|field7|field8|field9|field10|field11|field12
234|field1|field2|field3|field4|field5|field6|field7|field8|field9|field10|field11|field12
456|field1|field2|field3|field4|field5|field6|field7|field8|field9|field10|field11|field12"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex mode=sed "s/^([^\|]*\|)(?:[^\|]*\|){2}([^\|]*\|)(?:[^\|]*\|){2}([^\|]*\|)(?:[^\|]*\|){4}([^\|]*).*$/\1\2\3\4/"
Therefore use:
SEDCMD-fields_0_3_6_11 = s/^([^\|]*\|)(?:[^\|]*\|){2}([^\|]*\|)(?:[^\|]*\|){2}([^\|]*\|)(?:[^\|]*\|){4}([^\|]*).*$/\1\2\3\4/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For demonstration:
| makeresults
| eval raw="123|field1|field2|field3|field4|field5|field6|field7|field8|field9|field10|field11|field12
234|field1|field2|field3|field4|field5|field6|field7|field8|field9|field10|field11|field12
456|field1|field2|field3|field4|field5|field6|field7|field8|field9|field10|field11|field12"
| makemv delim="
" raw
| mvexpand raw
| rename raw AS _raw
| rex mode=sed "s/^([^\|]*\|)(?:[^\|]*\|){2}([^\|]*\|)(?:[^\|]*\|){2}([^\|]*\|)(?:[^\|]*\|){4}([^\|]*).*$/\1\2\3\4/"
Therefore use:
SEDCMD-fields_0_3_6_11 = s/^([^\|]*\|)(?:[^\|]*\|){2}([^\|]*\|)(?:[^\|]*\|){2}([^\|]*\|)(?:[^\|]*\|){4}([^\|]*).*$/\1\2\3\4/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for quick response..
Could you please explain the meaning of ::::: .$/\1\2\3\4/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Go to RegEx101.com and enter the first portion ^([^\|]*\|)(?:[^\|]*\|){2}([^\|]*\|)(?:[^\|]*\|){2}([^\|]*\|)(?:[^\|]*\|){4}([^\|]*).*$ and it will show you what that does. The dollar sign anchors to the end of the string. The \# dereferences a capture group so \1 gives the value of the first capture group, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, still I didn't get the point. and also is it possible to give field names to that extracted fields.? For example::
"ONE" for first field i.e 123,
"TWO" for second field i.e field3,
"THREE" for third field i.e field6,
"FOUR" for fourth field i.e field11 etc...
And also don't we need '//g' option to replace empty strings in events with SEDCMD syntax(SEDCMD-=s///g)
Thanks for your patience..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A RegExt that begins with ^ and ends with $ matches THE ENTIRE STRING so we only need 1 match (i.e. no g on the end). We are staying replace THE ENTIRE STRING with the 4 captured pieces, back to back. Run it on RegEx101.com and it walks you through each piece.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
