topic Re: Two different Deliminator for a field in Getting Data In

Two different Deliminator for a field

AdixitSplunk — Thu, 05 Jan 2017 10:47:31 GMT

I have 2 types of Messages in my log
for 1st i want to split it from ":" deliminator
and for 2nd i want deliminator to be "for"

my base query is something like belwo :

.... Message1 OR Message2|eval delim=(if Message1, deliminator should be ":" ,if Message2 ,deliminator should be "for"| eval num=split(Message,"delim")|eval field=mvindex(num,0)|stats count by field

Please help me on this .

Thanks

Re: Two different Deliminator for a field

jplumsdaine22 — Thu, 05 Jan 2017 10:57:21 GMT

Do you have some sample data? Are message1 and message2 text strings or field names? Are they in a field or do you need to extract from raw?

Re: Two different Deliminator for a field

AdixitSplunk — Thu, 05 Jan 2017 11:01:22 GMT

Field name is Message.From Message1 and 2 i means to say different type of message.
So there are basically 2 types of Messages in field Message
Example :
1st Applicatio photobuf message : dfgjsdgfjsgd gsdkgfksdgf ksdgfksdgfk s--- for such message i want ":" as delim
2nd Application2:Photoinserted to somesets for an Account--- for these messages i want "for" as delim

Re: Two different Deliminator for a field

Arun_N_007 — Thu, 05 Jan 2017 11:10:09 GMT

Use match or like inside if condition to find message type based on that set the delim.

..| eval delim = if(like(_raw,"%:%"),":","for")

Re: Two different Deliminator for a field

AdixitSplunk — Thu, 05 Jan 2017 12:06:09 GMT

can you please help me with the syntax here .

Re: Two different Deliminator for a field

gcusello — Thu, 05 Jan 2017 12:22:04 GMT

Hi AdixitSplunk,
why you don't use a regex extraction like this:

| rex "(:|for)\s(?<Message>.*)"

Bye.
Giuseppe

Re: Two different Deliminator for a field

AdixitSplunk — Thu, 05 Jan 2017 12:54:43 GMT

Its not working 😞 , its only showing the last
Message are like :
Application photobuf message : dhfksdhkfhksdhfk hdfkshfskhfk dfhkshdfkshfhs
Application Data loaded successfully for Photo No - 123456789 ; OrderIPlaceno - 987654321

using | rex "(:|for)\s(?.)" is giving Photo No -1234

Re: Two different Deliminator for a field

gcusello — Thu, 05 Jan 2017 14:19:22 GMT

modify regex

| rex max_match=0 "(:|for)\s(?<Message>.*)"

see https://regex101.com/r/nGhrLA/1

Bye.
Giuseppe

Re: Two different Deliminator for a field

somesoni2 — Thu, 05 Jan 2017 16:08:49 GMT

Give this a try

.... Message1 OR Message2|eval delim=if(searchmatch("Message1"),split(Message,":"),split(Message,"for"))|eval field=mvindex(num,0)|stats count by field

Re: Two different Deliminator for a field

gokadroid — Thu, 05 Jan 2017 16:26:22 GMT

How about you try this and take whichever one you are interested in out of preFix OR sufFix fields if your initial string is in field Message:

your query to return events
| rex field=Message "^(?<preFix>^.*?)(\s:\s|\sfor\s)(?<sufFix>.*)"
| table preFix, sufFix, Message

See here for the extraction at work. Notice the Group PreFix and Group SufFix on right sidebar after reaching the extraction hyperlink page.

Re: Two different Deliminator for a field

Arun_N_007 — Tue, 29 Sep 2020 12:18:36 GMT