Hi,
Basically I have a raw string, part of huge csv file.
Additional Role Service Line: None
Comments / Additional information:
ACTION: *** New Starter - Add Role(s) ***";"whatever info
Email Address: some_email
First Name: name
I wanna extract everything after 'Comments'. I came up with the below 2 queries, but none of them is working. I know it might be a basic query, but I am new to Splunk.
index=test_regular_expression source="report_test_data.csv" | fields Description | eval tmp_result=split(Description, "Comments") | eval result=mvindex(tmp_result,0) | fields + result
index=test_regular_expression source="report_test_data.csv" | fields Description | makemv delim="Comments" Description allowempty=false
Ignore the index name, the csv file column is called 'Description'.
Perhaps this will get you going in the right direction.
index=test_regular_expression source="report_test_data.csv" | rex field=Description "Comments(?<Comments>.*)" | ...
Try this
index=test_regular_expression source="report_test_data.csv" | fields Description | rex field=Description "Comments(?<Comments>.+)"