https://community.splunk.com/t5/Getting-Data-In/Log-file-is-importing-How-to-parse-the-event/m-p/648077#M110181 <P>I found the erex command that works,</P><P class="lia-indent-padding-left-30px">| erex ImportCount examples="0,18729,49377"</P><P>But you have to enter a sample of the text you are looking for.&nbsp; So it only works for one day and it has to be changed.&nbsp; Can regex be used in place of the examples?</P> Fri, 23 Jun 2023 18:26:45 GMT richtate 2023-06-23T18:26:45Z https://community.splunk.com/t5/Getting-Data-In/Log-file-is-importing-How-to-parse-the-event/m-p/647991#M110174 <P>I am getting the log file imported to Splunk, but each line is an event with no field name.&nbsp; Can I break up the line into columns?&nbsp; If not, how do I parse the line to extract a number?</P> <P>Index is:</P> <P>index=test_7d sourcetype=kafka:producer:bigfix</P> <P>Events are:</P> <P>2023-06-22 09:15:44,270 root - INFO - <STRONG>114510</STRONG> events have been uploaded to topic DC2_Endpoint_Configuration_IBM_BigFix_Patch_Join on Kafka<BR />2023-06-22 09:15:37,204 root - INFO - Executing getDatafromDB<BR />2023-06-22 09:15:35,704 root - INFO - <STRONG>35205</STRONG> events have been uploaded to topic DC2_Endpoint_Configuration_IBM_BigFix_Patch_Join on Kafka<BR />2023-06-22 09:15:33,286 root - INFO - Executing getDatafromDB<BR />2023-06-22 09:15:32,703 root - INFO - <STRONG>167996</STRONG> events have been uploaded to topic DC2_Endpoint_Configuration_IBM_BigFix_Patch_Join on Kafka<BR />2023-06-22 09:15:22,479 root - INFO - Executing getDatafromDB<BR />2023-06-22 09:15:19,031 root - INFO - <STRONG>181</STRONG> events have been uploaded to topic DC2_Endpoint_Configuration_IBM_BigFix_Patch_Join on Kafka</P> <P>Each line/event starts with the date, the wordwrap is making it look incorrect.&nbsp; I need to parse the bold number of each line after '- INFO -' and add a zero if no number.&nbsp; I can do this with a eval, but how do I parse if there is no field name to add to the 'regex' command?</P> <P>Thank you for looking at this problem!</P> Thu, 22 Jun 2023 17:58:39 GMT https://community.splunk.com/t5/Getting-Data-In/Log-file-is-importing-How-to-parse-the-event/m-p/647991#M110174 richtate 2023-06-22T17:58:39Z https://community.splunk.com/t5/Getting-Data-In/Log-file-is-importing-How-to-parse-the-event/m-p/647994#M110175 <P>For example, here I'm using 'regex' to remove Operating Systems from dataset on a fieldname 'operating_system' which is one column of an sourcetype:</P><P class="lia-indent-padding-left-30px">| regex operating_system!="(Linux|AIX|CENTOS|WINDOWS|Digital UNIX|FreeBSD|HP-UX|Hyper-V|Juniper|Mac|Windows|NetBSD|OpenBSD|OpenVMS|Server 2012|Server Core 2012|Server 2016|Server 2019|Ubuntu|Solaris|Unix|ESX|vCenter Server|rbash|[\*\*\*\*\*\*]|\A[\-\-\-\-\-\-\-\-\-\-]|[\=\=\=\=\=\=\=\=\=\=])"</P> Thu, 22 Jun 2023 17:58:19 GMT https://community.splunk.com/t5/Getting-Data-In/Log-file-is-importing-How-to-parse-the-event/m-p/647994#M110175 richtate 2023-06-22T17:58:19Z https://community.splunk.com/t5/Getting-Data-In/Log-file-is-importing-How-to-parse-the-event/m-p/648077#M110181 <P>I found the erex command that works,</P><P class="lia-indent-padding-left-30px">| erex ImportCount examples="0,18729,49377"</P><P>But you have to enter a sample of the text you are looking for.&nbsp; So it only works for one day and it has to be changed.&nbsp; Can regex be used in place of the examples?</P> Fri, 23 Jun 2023 18:26:45 GMT https://community.splunk.com/t5/Getting-Data-In/Log-file-is-importing-How-to-parse-the-event/m-p/648077#M110181 richtate 2023-06-23T18:26:45Z https://community.splunk.com/t5/Getting-Data-In/Log-file-is-importing-How-to-parse-the-event/m-p/648224#M110211 <P>Any help is appreciated, even if it means this is in the wrong category..</P> Mon, 26 Jun 2023 16:11:20 GMT https://community.splunk.com/t5/Getting-Data-In/Log-file-is-importing-How-to-parse-the-event/m-p/648224#M110211 richtate 2023-06-26T16:11:20Z https://community.splunk.com/t5/Getting-Data-In/Log-file-is-importing-How-to-parse-the-event/m-p/648242#M110214 <P>Found the answer:</P><PRE>| rex "INFO - (?&lt;eventCount&gt;\d+)" | fillnull value=0 eventCount</PRE> Mon, 26 Jun 2023 17:48:38 GMT https://community.splunk.com/t5/Getting-Data-In/Log-file-is-importing-How-to-parse-the-event/m-p/648242#M110214 richtate 2023-06-26T17:48:38Z