https://community.splunk.com/t5/Splunk-Search/Extract-an-value-from-logged-sentence/m-p/499103#M139022 <P>Add this to your SPL and replace <CODE>FIELD_NAME</CODE> with your actual field name. I'd recommend fixing the logging to remove that space after value so Splunk can create the key value pair automatically without manually extracting </P> <PRE><CODE>| rex value\=\s(?&lt;FIELD_NAME&gt;/d+) </CODE></PRE> Thu, 14 May 2020 14:07:42 GMT skoelpin 2020-05-14T14:07:42Z https://community.splunk.com/t5/Splunk-Search/Extract-an-value-from-logged-sentence/m-p/499102#M139021 <P>Hi,<BR /> I'm trying to make a Splunk panel display a value from a log that gets added to every 4 minutes.<BR /> I need to be able to see on the dashboard if the value suddenly drops. <BR /> I've tried extracting the value, but it keeps messing up. <BR /> Should I use regex, or do I need to extract it in a different way?<BR /> My goal is to only get the value after "value= " to return. </P> <P>This is how the data looks when it's imported into Splunk, each new line is a single event:</P> <PRE><CODE>2020-05-14T13:39:28.423Z, machine= wefqwr2312, value= 14 2020-05-14T13:40:29.003Z, machine= wefqwr2312, value= 14 2020-05-14T13:40:29.118Z, machine= wefqwr2312, value= 14 2020-05-14T13:41:28.316Z, machine= wefqwr2312, value= 14 2020-05-14T13:41:28.323Z, machine= wefqwr2312, value= 14 2020-05-14T13:45:48.032Z, machine= wefqwr2312, value= 14 2020-05-14T13:45:48.041Z, machine= wefqwr2312, value= 14 </CODE></PRE> <P>Thanks!</P> Thu, 14 May 2020 13:56:19 GMT https://community.splunk.com/t5/Splunk-Search/Extract-an-value-from-logged-sentence/m-p/499102#M139021 j3r0n 2020-05-14T13:56:19Z https://community.splunk.com/t5/Splunk-Search/Extract-an-value-from-logged-sentence/m-p/499103#M139022 <P>Add this to your SPL and replace <CODE>FIELD_NAME</CODE> with your actual field name. I'd recommend fixing the logging to remove that space after value so Splunk can create the key value pair automatically without manually extracting </P> <PRE><CODE>| rex value\=\s(?&lt;FIELD_NAME&gt;/d+) </CODE></PRE> Thu, 14 May 2020 14:07:42 GMT https://community.splunk.com/t5/Splunk-Search/Extract-an-value-from-logged-sentence/m-p/499103#M139022 skoelpin 2020-05-14T14:07:42Z https://community.splunk.com/t5/Splunk-Search/Extract-an-value-from-logged-sentence/m-p/499104#M139023 <P>Thanks alot for your reply!<BR /> I've edited the logging now, without the space after value. <BR /> Do I need a different rex now? And the extracted field of which I put the name in the regex, only has to be the "16" instead of "value=16" right?</P> Thu, 14 May 2020 14:28:08 GMT https://community.splunk.com/t5/Splunk-Search/Extract-an-value-from-logged-sentence/m-p/499104#M139023 j3r0n 2020-05-14T14:28:08Z https://community.splunk.com/t5/Splunk-Search/Extract-an-value-from-logged-sentence/m-p/499105#M139024 <P>Nothing further needed! Splunk will identify key value pairs automatically and extract them out for you. Splunk looks for common delimiters such as the <CODE>:</CODE> or <CODE>=</CODE> and identifies everything on the left side as the field and everything on the right side as the value. Keep it in the format of <CODE>value=14</CODE></P> <P>Once it has a little run time, go look at your fields on the left and find the field <CODE>value</CODE> to verify it extracts properly </P> Thu, 14 May 2020 14:30:11 GMT https://community.splunk.com/t5/Splunk-Search/Extract-an-value-from-logged-sentence/m-p/499105#M139024 skoelpin 2020-05-14T14:30:11Z