How to use regex to reformat a field?

ronbuzon · ‎08-14-2018

Need assistance regex to reformat the field

the field is Message. And the output is

"Reason: Details: Attributes: folderPathname folder ManagerDisplayName david foster OwnerEmail user@useremail"

when developing the regex to select anything after "Attributes:" i was able to create this rex

(?i)Attributes: (?.+)

It works in regex101.com and displays this field

the SPLUNK query that I wrote is:

(base search)||rex field=Message "Attributes: (?.+)

But the message field still shows the entire message value.

Any assistance will help

niketn · ‎08-21-2018

@ronbuzon , I think @493669 has already given you updated query... you need to provide a name for the capturing group, which is your case is Message. You should try the following:

<yourExistingSearch>
| rex field=Message "Attributes: (?<Message>.+)"

You can test the same on regex101 as well https://regex101.com/r/SZzS59/1

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

horsefez · ‎08-21-2018

Hi @ronbuzon,

if you are trying to extract the following data out of the given string, then try something like this.

Your sample data:
Reason: Details: Attributes: folderPathname folder ManagerDisplayName david foster OwnerEmail user@useremail

What you want to extract:
folderPathname folder ManagerDisplayName david foster OwnerEmail user@useremail

How you can do that:
| rex field=Message "Attributes:\s*(?.+)"

Please give me feedback, if that solves your problem.

ronbuzon · ‎08-21-2018

Hi @pyro_wood
thanks for responding and giving your input.

i tried your solution and got this error:

Error in 'rex' command: Encountered the following error while compiling the regex 'Attributes:\s*(?.+)': Regex: unrecognized character after (? or (?-

horsefez · ‎08-23-2018

Hi @ronbuzon,

sorry for the late reply.

Let me fix that solution:

| rex field=Message "Attributes:\s*(?<Attributes>.+)"

sudosplunk · ‎08-15-2018

Hi there, are you trying to trim values of Message field after indexing and create a new field new_field with these trimmed values? Or are you trying to trim the values of Message field before indexing?

gjanders · ‎08-14-2018

regex101 reports a pattern error on:

(?i)Attributes: (?.+)

If you wanted to capture the part after attributes then it would be:

(?i)Attributes: (?P<fieldname>.+)

If you wanted to regex match then it would be | rexgex :

(?i)Attributes: (.+)

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

ronbuzon · ‎08-15-2018

Gjanders,

Thank you for the recommendation and the feedback.

I used the regex command you have provided. however, the field from the search results still provide the entire value of the field. It seems like the rex command does not work.

(base search)||rex field=Message " (?i)Attributes: (?P.+)"

gjanders · ‎08-15-2018

If your goal was to create a new field then:

 (base search)|rex field=Message " (?i)Attributes: (?P<new_field>.+)"

You could potentially override the Message field at search time, where I'm assuming message is a valid field name:

 (base search)|rex field=Message " (?i)Attributes: (?P<Message>.+)"

If you wanted to do this at index time it's completely different, or if your trying to extract the field with the name message from the event itself:

 (base search)|rex " (?i)Attributes: (?P<Message>.+)"

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

493669 · ‎08-14-2018

are you trying this :

   ... |rex field=Message "Attributes: (?<Message>.+)"

ronbuzon · ‎08-14-2018

Got this error-
Error in 'rex' command: Encountered the following error while compiling the regex 'Attributes: (?.+)': Regex: unrecognized character after (? or (?-

493669 · ‎08-14-2018

updated the query ...special characters was missed

How to use regex to reformat a field?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms