topic Re: How do you extract data from the following field event_message: "P5_Transfer,CLO,2018-08-08 12:12:57,Cardston transfer custom start point." in Splunk Search

How do you extract data from the following field event_message: "P5_Transfer,CLO,2018-08-08 12:12:57,Cardston transfer custom start point."

aragoma — Tue, 29 Sep 2020 22:19:47 GMT

The following field after event_message is event_parameters:Film Configuration: {0} Name: {1} DateTime: {2} Note: {3} ,and it has the structure of the previous.

Thank you,

MIguel

Re: How do you extract data from the following field event_message: "P5_Transfer,CLO,2018-08-08 12:12:57,Cardston transfer custom start point."

somesoni2 — Mon, 10 Dec 2018 20:04:02 GMT

Could you provide more samples of raw data in the question and highlight which values you want to extract and name(s) of those fields?

Re: How do you extract data from the following field event_message: "P5_Transfer,CLO,2018-08-08 12:12:57,Cardston transfer custom start point."

aragoma — Tue, 29 Sep 2020 22:19:49 GMT

event_message
P5_Sequential,Randall,2018-08-07 13:30:36,custom
P5_Transfer,CLO,2018-08-08 12:12:57,Cardston transfer custom start point
P5_Concurrent,Bryan Johnston,2018-08-26 16:51:58,Fluorescent lights have a 5 second delay before turning off. ove SCENE2 to 5 seconds earlier.
D5_Sequential,Jeff,2018-09-24 09:58:37,Stars w SD at 8:48

The data is separated by comas.

event_parameters
Film Configuration: {0} Name: {1} DateTime: {2} Note: {3}
these correspond to the data in the event_message.

For example
Film Configuration: {0} Name: {1} DateTime: {2} Note: {3}
D5_Sequential, Jeff, 2018-09-24 09:58:37, Stars w SD at 8:48

Miguel

Re: How do you extract data from the following field event_message: "P5_Transfer,CLO,2018-08-08 12:12:57,Cardston transfer custom start point."

macadminrohit — Mon, 10 Dec 2018 21:10:14 GMT

(?<Name>^\w+\,\w+)\,(?P<date_time>\d{1,4}\-\d{1,2}\-\d{1,2} \d{1,2}\:\d{1,2}\:\d{1,2})\,(?P<node>[a-zA-Z0-9_ ]*$)

Re: How do you extract data from the following field event_message: "P5_Transfer,CLO,2018-08-08 12:12:57,Cardston transfer custom start point."

macadminrohit — Mon, 10 Dec 2018 21:11:20 GMT

Then you can write another regex on Name to separate names or use splunk makemv delim="," Name kind of command set.

Re: How do you extract data from the following field event_message: "P5_Transfer,CLO,2018-08-08 12:12:57,Cardston transfer custom start point."

aragoma — Tue, 11 Dec 2018 14:52:09 GMT

Thank you, it worked separating the data in between commas.

Re: How do you extract data from the following field event_message: "P5_Transfer,CLO,2018-08-08 12:12:57,Cardston transfer custom start point."

adonio — Tue, 11 Dec 2018 16:02:49 GMT

@aragoma, if it works for you, kindly accept the answer