topic Re: field extraction help in Splunk Search

field extraction help

a212830 — Tue, 22 May 2012 20:02:45 GMT

Hi,

I'm a relative newbie (power noob?) who is having issues with extracting fields from a multi-line event. A sample is below. I need to parse out each one into field. I tried grabbing the beginning of the field to the end, but I'm not getting anything. Any ideas? -- \tTCPIP\s(?.+)%
(Not looking for each one - figured if I get one correct, the others would be similiar...)

StartEvent Tue May 22 15:25:33 EDT 2012 ***
CPU 0 17%
Object Store 10%
HTTP and FTP 2%
Access Logging 2%
Miscellaneous 1%
CPU 1 41%
TCPIP 18%
HTTP and FTP 16%
Policy evaluation - HTTP 5%
DNS service 1%

Re: field extraction help

sdaniels — Tue, 22 May 2012 22:54:14 GMT

Assuming you have the line breaking right for the whole event...this works for me to extract the TCPIP %age:

Updated:

TCPIP\\s+(?<tcpip>.+)%

Not sure what you have at the beginning of yours with '--t'

Re: field extraction help

a212830 — Tue, 29 May 2012 15:04:57 GMT

this grabs all the whitespace that is between TCPIP and the end value. Is there anyway to strip out that whitespace? I want to go from TCPIP to the %, and grab the value just before the %.

Re: field extraction help

Ayn — Tue, 29 May 2012 15:11:18 GMT

TCPIP\s+(?<tcpip>\S+)%

Re: field extraction help

a212830 — Tue, 29 May 2012 17:06:35 GMT

Thanks to you both. Just started reading my "Mastering Regular Expressions" book!