Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Need help of rex?

Shan
Builder
‎04-06-2020 07:12 AM

Dear Friends,

Need you're help on writing a rex. As per my requirement. what ever value comes before a space need to be considered as first value and need to be extracted. values need to extracted and stored in field (checkme,DATA_ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&*fuse,Data*now)

Sample try (?P<Clu>DATA_ACE)

Sample data:

DATA_ACE_CHE_Team
FdTest@Labcatr
DATA_ACE_CADD_Team
DATA_ACE_CAM_Team
DATA_ACE
DATA_ACE_CSS_Team
FG_sam
Check@#$values
checkme Data
D&*fuse
Data*now

Thanks in advance ...

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎04-06-2020 01:19 PM 
| makeresults 
| eval data="(checkme,DATA_ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&*fuse,Data*now)" 
| rex field=data max_match=0 "(?<extracted>\w[^,()]*)"
0 Karma
Reply

dindu
Contributor
‎04-06-2020 07:26 AM

Hi ,
Could you please try the below.

|makeresults
|eval _raw= "input_field
DATA_ACE_CHE_Team
FdTest@Labcatr
DATA_ACE_CADD_Team
DATA_ACE_CAM_Team
DATA_ACE
DATA_ACE_CSS_Team
FG_sam
Check@#$values
checkme Data
D&*fuse
 Data*now"
|multikv forceheader=1
|table input_field
|rex field=input_field "(?P<extracted_field>.*)\s"

Modify the last line if you want to extract anything before the special characters like - 

|rex field=input_field "(?P<extracted_field>.*)(\_|\@|\s|\*)"
0 Karma
Reply

Shan
Builder
‎04-06-2020 07:41 AM

HI @dindu

Thanks for ur reply. I forgot to mention one more thing for some case we need only values before 2nd _. Out of above sample data i need to extract value as mentioned below .
(checkme,DATA_ACE, FdTest@Labcatr, FG_sam, Check@#$values, D&*fuse,Data*now)

Thanks..

0 Karma
Reply

dindu
Contributor
‎04-07-2020 06:49 AM

Hi,

Based on your requirement could you please try the below.

  |makeresults
  |eval _raw= "input_field
    DATA_ACE_CHE_Team
    FdTest@Labcatr
   DATA_ACE_CADD_Team
   DATA_ACE_CAM_Team
   DATA_ACE
   DATA_ACE_CSS_Team
   FG_sam
  Check@#$values
  checkme Data
  D&*fuse
  Data*now"
  |multikv forceheader=1
  |table input_field
  |rex field=input_field "(?P<extracted_field>.*)(?:\_.+\_)"

Also, could you please give expected input and output fields if this is not your requirement?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...