https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605744#M11544 <P>&nbsp;Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; Sorry for that. No its not the exact 5th field(above is just sample) and expected output is something like this(possible)</P><TABLE width="199"><TBODY><TR><TD width="69">Date</TD><TD width="66">Passenger</TD><TD width="64">Cash</TD></TR><TR><TD>15/7/2022</TD><TD>A</TD><TD>85000</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Thanks a lot for very quick response.</P> Fri, 15 Jul 2022 07:42:55 GMT thangarun 2022-07-15T07:42:55Z https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605738#M11542 <P>Dear All,</P> <P>I am a rookie in Splunk and need your help to extract a fields from the log,</P> <P>Example:</P> <P><SPAN class="">2022-07-15</SPAN> <SPAN class="">14:30:43 , <SPAN>Oracle WebLogic Server is fully supported on Kubernetes</SPAN>&nbsp;, xsjhjediodjde,</SPAN>"approvalCode":"YES",<FONT face="arial black,avant garde">"totalCash":"85000"</FONT>,"passenger":"A",dgegrgrg4t3g4t3g4t3g4t,rgrfwefiuascjcusc,</P> <P>In this log i would like to have a extract as Cash and display the value in a tabular form as Date|Passenger|Amount&nbsp;</P> <P>Please suggest.</P> Fri, 15 Jul 2022 16:52:48 GMT https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605738#M11542 thangarun 2022-07-15T16:52:48Z https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605742#M11543 <P>You will need to be more specific</P><P>Assuming comma delimited, is the field you are interested in always the 5th field?</P><P>Does it always start with "totalCash"?</P><P>What would your expected output look like, e.g. does the Cash column always contain "totalCash"?</P><P>Do you already have some fields extracted when the events were ingested/indexed?</P> Fri, 15 Jul 2022 07:27:49 GMT https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605742#M11543 ITWhisperer 2022-07-15T07:27:49Z https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605744#M11544 <P>&nbsp;Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; Sorry for that. No its not the exact 5th field(above is just sample) and expected output is something like this(possible)</P><TABLE width="199"><TBODY><TR><TD width="69">Date</TD><TD width="66">Passenger</TD><TD width="64">Cash</TD></TR><TR><TD>15/7/2022</TD><TD>A</TD><TD>85000</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Thanks a lot for very quick response.</P> Fri, 15 Jul 2022 07:42:55 GMT https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605744#M11544 thangarun 2022-07-15T07:42:55Z https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605745#M11545 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/247714">@thangarun</a>,</P><P>as&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;said, it isn't so clear what's the diferene (in your logs) between cash and amount.</P><P>Anyway, the regex to extract the totalCash is the following</P><LI-CODE lang="markup">| rex "\"totalCash\":\"(?&lt;totalCash&gt;\d+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/KmAhE5/1" target="_blank">https://regex101.com/r/KmAhE5/1</A></P><P>Ciao.</P><P>Giuseppe</P> Fri, 15 Jul 2022 07:45:31 GMT https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605745#M11545 gcusello 2022-07-15T07:45:31Z https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605747#M11546 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/247714">@thangarun</a>,</P><P>update after your message:</P><LI-CODE lang="markup">| rex "\"totalCash\":\"(?&lt;totalCash&gt;\d+)\",\"passenger\":\"(?&lt;passenger&gt;[^\"]+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/KmAhE5/2" target="_blank">https://regex101.com/r/KmAhE5/2</A></P><P>Supponing that that date and time you have is also the event timestamp, you could run something like this:</P><LI-CODE lang="markup">index=your_index | rex "\"totalCash\":\"(?&lt;totalCash&gt;\d+)\",\"passenger\":\"(?&lt;passenger&gt;[^\"]+)" | table _time passenger totalCash </LI-CODE><P>Ciao.</P><P>Giuseppe</P> Fri, 15 Jul 2022 07:49:26 GMT https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605747#M11546 gcusello 2022-07-15T07:49:26Z https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605749#M11547 <P>Depending on your actual data (a single example doesn't really cut it unless it is 100% representative), you may need to deal with decimals</P><LI-CODE lang="markup">| rex "\"totalCash\":\"(?&lt;totalCash&gt;[\d\.]+)\",\"passenger\":\"(?&lt;passenger&gt;[^\"]+)"</LI-CODE> Fri, 15 Jul 2022 07:54:50 GMT https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605749#M11547 ITWhisperer 2022-07-15T07:54:50Z https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605751#M11548 <P>Awesome....</P> Fri, 15 Jul 2022 07:57:39 GMT https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605751#M11548 thangarun 2022-07-15T07:57:39Z https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605752#M11549 <P>Thanks a lot</P> Fri, 15 Jul 2022 07:57:59 GMT https://community.splunk.com/t5/Reporting/How-to-extract-a-specific-data-from-log/m-p/605752#M11549 thangarun 2022-07-15T07:57:59Z