topic Re: How to parse specific value from a field value? in Splunk Search

How to parse specific value from a field value?

wicke_s — Fri, 14 Jun 2019 20:48:57 GMT

Disclaimer : I'm new to Regex and using the Rex function

I have a field "Message" that has the following string format:

"EWT_Print=282, CIQ=1, Did not meet the threshold, 009s5td"

All the Message field values are going to have the same format "EWT_Print=[some number], CIQ=[some number], some text"

I am trying to extract the value of the EWT_Print, in this example 282 and display it in a table, however, I always get an empty table when I try this:

<my base search> | rex field=Message "EWT_Print=(?<EWT>[0-9]+)*"

What am I doing wrong?

Re: How to parse specific value from a field value?

richgalloway — Fri, 14 Jun 2019 21:12:46 GMT

Your regex looks good, although the * is not needed. It works in regex101.com. Have you tried without the *?

Re: How to parse specific value from a field value?

wicke_s — Fri, 14 Jun 2019 21:20:13 GMT

Yes, I got the regex from regex101.com 🙂

I tried without the * and it still doesn't work. I tried without the table and I could see I have at least 133 events matching the search, however the rex still doesn't work.

Thanks for taking the time to look into this!

Re: How to parse specific value from a field value?

jkat54 — Fri, 14 Jun 2019 21:46:04 GMT

Are you searching in verbose mode? Because verbose mode auto extracts key value pairs like these you have.

If not in verbose mode you can use the '| extract' command to achieve the same result.

Re: How to parse specific value from a field value?

wicke_s — Fri, 14 Jun 2019 22:33:31 GMT

Thanks for your reply! I am searching in verbose mode and I also tried the search with the "extract" keyword. Still returns empty table

Re: How to parse specific value from a field value?

jkat54 — Sat, 15 Jun 2019 11:39:24 GMT

What's your full search?

Re: How to parse specific value from a field value?

wicke_s — Mon, 17 Jun 2019 14:53:56 GMT

index=<index> sourcetype=<sourcetype> Message="EWT_Print*" | rex field=Extended_Field.Message "EWT_Print=(?<EWT>[0-9]+)"| table EWT

Re: How to parse specific value from a field value?

jnudell_2 — Mon, 17 Jun 2019 17:25:33 GMT

Try:

... [ your search ] ... 

| rex "EWT_Print=(?<EWT>[^,]+),"

If that works, then try:

... [ your search ] ... 

| rex field=Message "EWT_Print=(?<EWT>[^,]+),"

Re: How to parse specific value from a field value?

jkat54 — Mon, 17 Jun 2019 18:01:01 GMT

Try renaming the field first
...
| rename Extended_Field.Message as message
| rex field=message
...

Re: How to parse specific value from a field value?

vnravikumar — Tue, 18 Jun 2019 12:33:53 GMT

Try this,

| makeresults 
| eval Message = "EWT_Print=282, CIQ=1, Did not meet the threshold, 009s5td" 
| rex field=Message "EWT_Print\=(?P<EWT>[\d]+)"

Re: How to parse specific value from a field value?

pranay_adla — Tue, 18 Jun 2019 12:47:00 GMT

  <base search> | rex field=Message "EWT_Print\=(?P<EWT>\d+)\,"

Re: How to parse specific value from a field value?

VatsalJagani — Tue, 18 Jun 2019 14:32:40 GMT

@wicke_s - Try this regex. (make sure field Message is not containing "(quote) in value.)

^EWT_Print=(?<EWT_Printer>\d+),

Re: How to parse specific value from a field value?

wicke_s — Tue, 18 Jun 2019 14:57:55 GMT

This did the trick, The ',' is what I was missing.....

<search> | rex "EWT_Print=(?<EWT>[0-9]+),"

is the query that worked for me. Thanks a lot