topic Re: Need help in regular expression to extract data. in Splunk Search

Need help in regular expression to extract data.

DataOrg — Fri, 14 Feb 2020 09:53:19 GMT

I need to filter the data from below _raw only the SPLUNKXML =""

_raw

2020-02-13 01:04:18.910, COUNT="863132", URL="http://122.32.10:8080/HP/Material", SAD="GET", SPLUNKXML="<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>", IPCODE="111", Timestamp="2020-02-13 01:00:06.75"

OUtput needed:

    SPLUNKXML= "<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>"

Re: Need help in regular expression to extract data.

manjunathmeti — Fri, 14 Feb 2020 10:20:30 GMT

SPLUNKXML should be extracted automatically by splunk . If not use rex: | rex field=_raw "SPLUNKXML=(?.*), IPCODE"

Sample query:

| makeresults | eval _raw="2020-02-13 01:04:18.910, COUNT='863132', URL='http://122.32.10:8080/HP/Material', SAD='GET', SPLUNKXML='<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>', IPCODE='111', Timestamp='2020-02-13 01:00:06.75'" | rex field=_raw "SPLUNKXML=(?<SPLUNKXML>.*), IPCODE"

Re: Need help in regular expression to extract data.

to4kawa — Sat, 15 Feb 2020 00:58:00 GMT

| makeresults 
| eval _raw="2020-02-13 01:04:18.910, COUNT='863132', URL='http://122.32.10:8080/HP/Material', SAD='GET', SPLUNKXML='<APICALL><IPCODE>201</IPCODE><returnTime>1581573606000</returnTime><data><ULID>049726</ULID><requestId>$658262</requestId><currentStatus>SPlunk  - Picked</currentStatus><pickedQuantity><value>634</value><uom>EA</uom><lastUpdateTime>1581399738000</lastUpdateTime></data></APICALL>', IPCODE='111', Timestamp='2020-02-13 01:00:06.75'" 
| kv
| foreach * [eval <<FIELD>> = trim('<<FIELD>>', "\'")]

@manjunathmeti @premranjithj
If you use spath later, the query is here.