Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to create a new field called hashtag

sohampb
Engager
‎03-25-2013 12:45 PM

I am a novice, experimenting with a free version of Splunk, and I have a twitter feed in a text file. A part of it looks like :

Name: The Last Word
Screen Name: TheLastWord
Text: .@lawrence anchors from LA tonight where it's in the 60s. In NYC, it's in the 30s and is supposed to snow. #luckyguy #lastword
Created At: Mon Mar 25 18:23:26 +0000 2013
Source: web
Id: 316254010745188352

(I do not have sourcetype : twitter in my version, so I had to make a new sourcetype).

Now I realize that the regex to extract hashtags is : #[^#\s]*\s , but how do I get splunk to create a new field called hashtag, so that I can report of top hashtags etc ?

Thanks !

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

btate
Engager
‎03-25-2013 01:44 PM

The examples on the rex doc might be useful: http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Rex

Example1: creates two new fields: 'from' and 'to'. You capture your matches by using parentheses(like in normal regex) and naming the field that will be captured inside angle brackets(prefixed by a '?' within the capture parentheses.

View solution in original post

Reply
Solved! Jump to solution

sohampb
Engager
‎03-25-2013 02:01 PM

Thanks a lot this solved it. As I said, I am a novic. I used index=main sourcetype="twitter" | rex "#[^#\s]\s(?P[^ ]+)" | search HASHTAG="" and it worked.

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎03-25-2013 02:07 PM

and if there is more than one hashtag per event?

Yes - you can do it in rex as well - add max_match=x to your rex statement, where x would be a number.

/k

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎03-25-2013 01:55 PM

In order to extract hashtag as a multivalue field, i.e. where a single event can contain several occurrences of the same field name, you should do it through a REPORT field extraction. This is a configuration directive in props.conf, which refers to a section of transforms.conf like so;

props.conf

[twitter]
REPORT-get_tags = twitter_tags

transforms.conf

[twitter_tags]
REGEX = #(\S+)\s
FORMAT = hashtag::$1
MV_ADD = true

/k

0 Karma
Reply
Solved! Jump to solution
Solution

btate
Engager
‎03-25-2013 01:44 PM

The examples on the rex doc might be useful: http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Rex

Example1: creates two new fields: 'from' and 'to'. You capture your matches by using parentheses(like in normal regex) and naming the field that will be captured inside angle brackets(prefixed by a '?' within the capture parentheses.

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...