Splunk Search

How to extract all values after ","

braicu
New Member

Hello all ,
Please help me to extract all values from this field :

arn:aws:iam::aws:policy/AmazonEC2FullAccess,AmazonEC2FullAccess
arn:aws:iam::aws:policy/CloudWatchActionsEC2Access,CloudWatchActionsEC2Access
arn:aws:iam::aws:policy/AmazonSNSReadOnlyAccess,AmazonSNSReadOnlyAccess
arn:aws:iam::aws:policy/CloudWatchLogsFullAccess,CloudWatchLogsFullAccess
arn:aws:iam::aws:policy/AmazonSSMFullAccess,AmazonSSMFullAccess
arn:aws:iam::aws:policy/CloudWatchEventsFullAccess,CloudWatchEventsFullAccess

I am not sure why are shown the policies twice, but I need the new column to be :

AmazonEC2FullAccess
CloudWatchActionsEC2Access
AmazonSNSReadOnlyAccess
CloudWatchLogsFullAccess
AmazonSSMFullAccess
CloudWatchEventsFullAccess

I used | rex max_match=0 field=attachedPolicies "(?(?<=,)[^\/]+$)" , but it is not working it extract me the last value, and I need all the values of the field:
CloudWatchEventsFullAccess
Please help.

0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@braicu

You have not specified field name that will be extracted. Try: | rex max_match=0 field=attachedPolicies ".*\/(?<new_field>.*)".
Please check here: https://regex101.com/r/nyQXnb/1

Hope this helps!!!

View solution in original post

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@braicu

You have not specified field name that will be extracted. Try: | rex max_match=0 field=attachedPolicies ".*\/(?<new_field>.*)".
Please check here: https://regex101.com/r/nyQXnb/1

Hope this helps!!!

0 Karma

braicu
New Member

Thank you so much , it worked !

0 Karma

braicu
New Member

I used this and not working :
alt text

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...