https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57371#M13998 <P>I am new to splunk. Can you please tell how to achieve this? I am unable to find the search query using splunk</P> <P>| eval Field2=substr(message, charindex(message, "&amp;lmt="), charindex(message, "&amp;dt="))</P> <P>I have used some thing as above but charindex doesnt work.</P> <P>here "message" is the Field which is been extracted during the data import.</P> Tue, 22 May 2012 09:48:57 GMT abhijitnayak 2012-05-22T09:48:57Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57369#M13996 <P>Hi Everyone,</P> <P>I am trying to extract fields from the multivalued Field which has the following</P> <P><A href="http://pubads.g.doubleclick.net/gampad/ads?correlator=1329033559899&amp;output=json_html&amp;callback=GA_googleSetAdContentsBySlotForSync&amp;impl=s&amp;client=ca-pub-3341866503936280&amp;slotname=Argaam_AllPages_LeaderBoard_728x90&amp;page_slots=Argaam_AllPages_LeaderBoard_728x90&amp;cookie=ID%3Dc8e744ff06435b06%3AT%3D1328766284%3AS%3DALNI_MZSu26hgR2sN5WOP8rB52YX_YtF5A&amp;url=http%3A%2F%2Fwww.argaam.com%2FPortal%2FDefault.aspx&amp;lmt=1329033560&amp;dt=1329033560159&amp;cc=100&amp;oe=utf-8&amp;biw=1920&amp;bih=985&amp;adk=3690209964&amp;adx=460&amp;ady=52&amp;ifi=1&amp;oid=3&amp;u_tz=240&amp;u_his=3&amp;u_java=true&amp;u_h=1080&amp;u_w=1920&amp;u_ah=1040&amp;u_aw=1920&amp;u_cd=24&amp;flash=10.3.181.34&amp;gads=v2&amp;ga_vid=355700385.1328766284&amp;ga_sid=1329023597&amp;ga_hid=818285417&amp;ga_fc=true">http://pubads.g.doubleclick.net/gampad/ads?correlator=1329033559899&amp;output=json_html&amp;callback=GA_googleSetAdContentsBySlotForSync&amp;impl=s&amp;client=ca-pub-3341866503936280&amp;slotname=Argaam_AllPages_LeaderBoard_728x90&amp;page_slots=Argaam_AllPages_LeaderBoard_728x90&amp;cookie=ID%3Dc8e744ff06435b06%3AT%3D1328766284%3AS%3DALNI_MZSu26hgR2sN5WOP8rB52YX_YtF5A&amp;url=http%3A%2F%2Fwww.argaam.com%2FPortal%2FDefault.aspx&amp;lmt=1329033560&amp;dt=1329033560159&amp;cc=100&amp;oe=utf-8&amp;biw=1920&amp;bih=985&amp;adk=3690209964&amp;adx=460&amp;ady=52&amp;ifi=1&amp;oid=3&amp;u_tz=240&amp;u_his=3&amp;u_java=true&amp;u_h=1080&amp;u_w=1920&amp;u_ah=1040&amp;u_aw=1920&amp;u_cd=24&amp;flash=10.3.181.34&amp;gads=v2&amp;ga_vid=355700385.1328766284&amp;ga_sid=1329023597&amp;ga_hid=818285417&amp;ga_fc=true</A></P> <P>The parameters are usually separated by param="Value"</P> <P>From the above text = GA_googleSetAdContentsBySlotForSync</P> <P>Parameter = &amp;callback<BR /> value = GA_googleSetAdContentsBySlotForSync</P> <P>Parameter = &amp;flash<BR /> value = 10.3.181.34</P> <P>The text above is one field and this parameter extraction has to be done only to websites which are search engines ..</P> <P>Is there a way to extract the field values even if it is not dynamic way of extraction?</P> Tue, 22 May 2012 05:51:03 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57369#M13996 abhijitnayak 2012-05-22T05:51:03Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57370#M13997 <P>I don't understand what's not working and how you would like things to work. Could you state your problem more clearly please?</P> Tue, 22 May 2012 06:25:10 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57370#M13997 Ayn 2012-05-22T06:25:10Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57371#M13998 <P>I am new to splunk. Can you please tell how to achieve this? I am unable to find the search query using splunk</P> <P>| eval Field2=substr(message, charindex(message, "&amp;lmt="), charindex(message, "&amp;dt="))</P> <P>I have used some thing as above but charindex doesnt work.</P> <P>here "message" is the Field which is been extracted during the data import.</P> Tue, 22 May 2012 09:48:57 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57371#M13998 abhijitnayak 2012-05-22T09:48:57Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57372#M13999 <P>Field2 that needs to be extracted is 1329033560.. can you please suggest the regex to derive this multi valued field?</P> Tue, 22 May 2012 09:50:24 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57372#M13999 abhijitnayak 2012-05-22T09:50:24Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57373#M14000 <P>Did you look at all the fields, not just those shown on the left? Click Edit, and in the pop-up window that field should already be extracted as "correlator".</P> <P>Splunk should automatically extract a value any time it sees a key=value. How it determines what are "interesting fields" I'm not sure.</P> Wed, 23 May 2012 02:34:24 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57373#M14000 mikelanghorst 2012-05-23T02:34:24Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57374#M14001 <P>Hi Mike , I dont this its so easy .<BR /> We would have to parse and cut the words between &amp;param1="WORD"&amp;param2<BR /> Let me know if there is a way to do this.</P> Wed, 23 May 2012 05:01:10 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57374#M14001 abhijitnayak 2012-05-23T05:01:10Z https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57375#M14002 <P>GOT IT!!! <BR /> source="POC.txt" | regex Field2="google" | makemv delim="&amp;" Field2 </P> Mon, 28 May 2012 06:12:10 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-Parsing-Regex/m-p/57375#M14002 abhijitnayak 2012-05-28T06:12:10Z