topic How to extract fields from events where the field location isn't constant and keeps changing? in Splunk Search

How to extract fields from events where the field location isn't constant and keeps changing?

VI371887 — Thu, 08 Mar 2018 17:04:33 GMT

I want to write a query or rex under field extraction, to extract each value following a string and stopping at coma,

example :
hcyycuvubuv : 45544.466, "cpu percentage" :23.45667, "higghh": 23.345t,

in above string, I am only looking for numbers that come after "cpu_percentage":
, which is 23.45667

problem is, in my events the cpu percentage string is not at the same location in logs.

example :

first event
chhchvhvh: 223. 455, "cpu_percentage":23.45677,gghffvhh:3455

second event
chhchvhvh: 223. 455, tuvjvujjvg:3456.566, "cpu_percentage":23.45677,gghffvhh:3455.788

Re: How to extract fields from events where the field location isn't constant and keeps changing?

somesoni2 — Thu, 08 Mar 2018 17:25:52 GMT

Try like this

your base search 
| rex "\"cpu_percentage\"\:(?<cpu_percentage>[^,]+)"

your base search
| extract pairdelim="," kvdelim=":"

Re: How to extract fields from events where the field location isn't constant and keeps changing?

deepashri_123 — Thu, 08 Mar 2018 17:28:24 GMT

Hey VI371887,

You can try the following:

base search|rex field=_raw "\"cpu_percentage\"\:(?P<percentage>\d+.\d+[^,])"

Let me know if this helps!!!

Re: How to extract fields from events where the field location isn't constant and keeps changing?

anjambha — Fri, 09 Mar 2018 07:01:53 GMT

Hi VI371887,

Try this run search anywhere..

| makeresults | eval data="\"disk_bytes\":23.10,\"disk_bytes_quota\":23.13t," | rex field=data "disk_bytes\"\:(?<disk_bytes>\d+\.\d*)\,\"disk_bytes_quota\"\:(?<disk_bytes_quota>\d+\.\w+)\,"

in your environment:

base search |  rex field=_raw "disk_bytes\"\:(?<disk_bytes>\d+\.\d*)\,\"disk_bytes_quota\"\:(?<disk_bytes_quota>\d+\.\w+)\,"

base search | rex field=data "disk_bytes\"\:(?<disk_bytes>[^,]+)\,\"disk_bytes_quota\"\:(?<disk_bytes_quota>[^,]+)\,"

Re: How to extract fields from events where the field location isn't constant and keeps changing?

VI371887 — Wed, 21 Mar 2018 06:36:50 GMT

hi i am having similar issues,

with msg field

it's has different values can be numbers, strings, path, punctuations, blank space like shown below.

"msg" :"35556"
"msg" :"<<÷] {<} ;;"
"msg" :"ycuvuuu jvbigg buivuv"
"msg" :" "

now problem is, i have written rex as
\msg\":(? \". *\") \,

but it returns value which following msg field.

"msg" :"vjvuv igivc uvviv", "origin" :"abcgc", "time" :23.45677",