{"id":64530,"date":"2022-10-04T12:03:42","date_gmt":"2022-10-04T12:03:42","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=64530"},"modified":"2022-10-04T12:03:42","modified_gmt":"2022-10-04T12:03:42","slug":"answer-by-warren-for-splunk-query-to-extract-multiple-fields-from-single-field","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=64530","title":{"rendered":"Answer by warren for splunk query to extract multiple fields from single field"},"content":{"rendered":"<p>@<a href=\"https:\/\/stackoverflow.com\/users\/14419\/mads-hansen\">Mads Hansen<\/a>&#8216;s <a href=\"https:\/\/stackoverflow.com\/a\/73940324\/4418\">answer<\/a> will most likely work, but experience shows multiple individual <a href=\"https:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/SearchReference\/rex\" rel=\"nofollow noreferrer\"><code>rex<\/code><\/a> statements to be safer (ie, they allow for corner cases \/ data in different sequences, etc):<\/p>\n<pre><code>| rex field=message &quot;OUT:\\s+(?&lt;method&gt;\\S+)&quot;\n| rex field=message &quot;taken:\\s+(?&lt;executiontime&gt;\\d+)&quot;\n<\/code><\/pre>\n<p>Speed for sequential regular expressions &#8211; <a href=\"https:\/\/regex101.com\/r\/O8zCL6\/1\" rel=\"nofollow noreferrer\">9<\/a> &amp; <a href=\"https:\/\/regex101.com\/r\/rf80mH\/1\" rel=\"nofollow noreferrer\">23<\/a> steps, respectively<\/p>\n<p>If you want to use an all-at-once regular expression, because you know the data is always in the same order, <a href=\"https:\/\/regex101.com\/r\/yKiuvj\/1\" rel=\"nofollow noreferrer\">this<\/a> one is simpler and faster (28 vs 82 <a href=\"https:\/\/regex101.com\/r\/FvMZ1K\/1\" rel=\"nofollow noreferrer\">steps<\/a>) than Mads Hansen&#8217;s:<\/p>\n<pre><code>| rex field=message &quot;OUT:\\s+(?&lt;method&gt;\\S+).+?taken:\\s+(?&lt;executiontime&gt;\\d+)&quot;\n<\/code><\/pre>\n<p>Lastly, if you know the order of the <code>message<\/code> field is always the same, you could do <a href=\"https:\/\/regex101.com\/r\/gHC6uH\/1\" rel=\"nofollow noreferrer\">this<\/a>, making a multivalue field, and separate it after (I combined two <a href=\"https:\/\/docs.splunk.com\/Documentation\/Splunk\/latest\/SearchReference\/eval\" rel=\"nofollow noreferrer\"><code>eval<\/code><\/a> statements into one line, since they&#8217;re not dependent upon each other):<\/p>\n<pre><code>| rex field=message max_match=0 &quot;:\\s+(?&lt;mymvfield&gt;\\S+)\n| eval method=mvindex(mymvfield,0), executionTime=mvindex(mymvfield,-1)\n<\/code><\/pre>\n<p>from User warren &#8211; Stack Overflow https:\/\/stackoverflow.com\/questions\/73939991\/splunk-query-to-extract-multiple-fields-from-single-field\/73947539#73947539<br \/>\nvia <a href=\"https:\/\/ifttt.com\/?ref=da&#038;site=wordpress\">IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>@Mads Hansen&#8216;s answer will most likely work, but experience shows multiple individual rex statements to be safer (ie, they allow for corner cases \/ data in different sequences, etc): | rex field=message &quot;OUT:\\s+(?&lt;method&gt;\\S+)&quot; | rex field=message &quot;taken:\\s+(?&lt;executiontime&gt;\\d+)&quot; Speed for sequential regular expressions &#8211; 9 &amp; 23 steps, respectively If you want to use an all-at-once &hellip;<br \/><a href=\"https:\/\/merikebi.warrenmyers.com\/?p=64530\" class=\"more-link pen_button pen_element_default pen_icon_arrow_double\">Continue reading <span class=\"screen-reader-text\">Answer by warren for splunk query to extract multiple fields from single field<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-64530","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/64530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=64530"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/64530\/revisions"}],"predecessor-version":[{"id":64531,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/64530\/revisions\/64531"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=64530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=64530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=64530"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=64530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}