topic Re: how to extract one value from log in Splunk Search

how to extract one value from log

ivana27 — Tue, 16 Feb 2021 14:56:41 GMT

Hi,

i have log like this

[Information] WebService Call CheckVehicle : country=111111, licensePlate=12DUMMY

And i would like to extract only licensePlate using maybe rex.

Thank you

Re: how to extract one value from log

gcusello — Tue, 16 Feb 2021 15:49:41 GMT

Hi @ivana27,

you should already have the required field extraction because Splunk recognises the pair field_name=field_value.

Anyway, using regex, you could try something like this:

| rex "licensePlate\=(?<licensePlate>[^ ]+)"

that you can test at https://regex101.com/r/oQDejO/1

Ciao.

Giuseppe

Re: how to extract one value from log

ivana27 — Tue, 16 Feb 2021 15:55:19 GMT

Thank you for quick respond, i already put same rex command but in event there is several places where licensePlate is shown but i want extract only from that exact log mentioned here.

Thanks

Re: how to extract one value from log

gcusello — Tue, 16 Feb 2021 16:00:11 GMT

Hi @ivana27,

if this answer solves your problem please accept it for the other people of Community, otherwise tell me if I can help you more.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Re: how to extract one value from log

ivana27 — Wed, 17 Feb 2021 07:57:04 GMT

Hi,

thank you for reply. I still didnt solve it 😞

Is it possible to refer only to this log and extract only from there licence?

Thank you

Re: how to extract one value from log

gcusello — Wed, 17 Feb 2021 08:08:44 GMT

Hi @ivana27,

if the problem is that the Regex takes more values that the correct one, the only way is to create a regex more complex that recognizes only the correct values.

If the problem is that the licensePlate field is also automatically extracted by Splunk and sometimes in a not correct way, you could use a different name for the regex extraction and use that field instead the other in your searches.

Ciao.

Giuseppe

Re: how to extract one value from log

Kwip — Wed, 17 Feb 2021 19:43:25 GMT

Hi @ivana27 ,

If you want to extract only from the mentioned log, include the unique information from the specific log

| rex field=_raw "country=111111\, licensePlate=(?<LicensePlate>[^ ]+)"

Re: how to extract one value from log

ivana27 — Thu, 18 Feb 2021 07:50:14 GMT

Hi @Kwip ,

thank you for helping. Problem is this just example i gave, values for country and licensePlate are different in events. So, i need from that row to take only value of license.

Thanks

Re: how to extract one value from log

gcusello — Thu, 18 Feb 2021 07:54:50 GMT

Hi @ivana27,

if you cannot identify a more complex regex (as me an @Kwip hinted), the only way if my other hint: use a different name for the regex extracted field.

Ciao.

Giuseppe

Re: how to extract one value from log

Kwip — Thu, 18 Feb 2021 08:52:27 GMT

Hi @ivana27 , @gcusello is right.

So you mean the log format is going to be the same and country value will change ? And you want to extract licensePlate values on this pattern of logs?

Try something below,

| rex field=_raw "country=\d+\, licensePlate=(?<LicensePlateNumber>[^ ]+)"