Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help of rex?

Shan
Builder
‎04-06-2020 07:12 AM

Dear Friends,

Need you're help on writing a rex. As per my requirement. what ever value comes before a space need to be considered as first value and need to be extracted. values need to extracted and stored in field (checkme,DATA_ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&*fuse,Data*now)

Sample try (?P<Clu>DATA_ACE)

Sample data:

DATA_ACE_CHE_Team
FdTest@Labcatr
DATA_ACE_CADD_Team
DATA_ACE_CAM_Team
DATA_ACE
DATA_ACE_CSS_Team
FG_sam
Check@#$values
checkme Data
D&*fuse
Data*now

Thanks in advance ...

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎04-06-2020 01:19 PM 
| makeresults 
| eval data="(checkme,DATA_ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&*fuse,Data*now)" 
| rex field=data max_match=0 "(?<extracted>\w[^,()]*)"
0 Karma
Reply

dindu
Contributor
‎04-06-2020 07:26 AM

Hi ,
Could you please try the below.

|makeresults
|eval _raw= "input_field
DATA_ACE_CHE_Team
FdTest@Labcatr
DATA_ACE_CADD_Team
DATA_ACE_CAM_Team
DATA_ACE
DATA_ACE_CSS_Team
FG_sam
Check@#$values
checkme Data
D&*fuse
 Data*now"
|multikv forceheader=1
|table input_field
|rex field=input_field "(?P<extracted_field>.*)\s"

Modify the last line if you want to extract anything before the special characters like - 

|rex field=input_field "(?P<extracted_field>.*)(\_|\@|\s|\*)"
0 Karma
Reply

Shan
Builder
‎04-06-2020 07:41 AM

HI @dindu

Thanks for ur reply. I forgot to mention one more thing for some case we need only values before 2nd _. Out of above sample data i need to extract value as mentioned below .
(checkme,DATA_ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&*fuse,Data*now)

Thanks..

0 Karma
Reply

dindu
Contributor
‎04-07-2020 06:49 AM

Hi,

Based on your requirement could you please try the below.

  |makeresults
  |eval _raw= "input_field
    DATA_ACE_CHE_Team
    FdTest@Labcatr
   DATA_ACE_CADD_Team
   DATA_ACE_CAM_Team
   DATA_ACE
   DATA_ACE_CSS_Team
   FG_sam
  Check@#$values
  checkme Data
  D&*fuse
  Data*now"
  |multikv forceheader=1
  |table input_field
  |rex field=input_field "(?P<extracted_field>.*)(?:\_.+\_)"

Also, could you please give expected input and output fields if this is not your requirement?

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...