https://community.splunk.com/t5/Splunk-Search/How-do-I-fetch-data-from-an-existing-field/m-p/400753#M167411 <P>I have a field in my log which contains a huge text data with two different formats. I tried to catch a few parts in a new field but was unable to get all the data.</P> <PRE><CODE>First type ------------------------------------ Timestamp=26/SEP/2018 16:37:38 UTC|DBA_GROUP=X2Oracle_NSS|TOWER=NSS|DB_INSTANCE_NAME=lsrprod|DB_HOST_NAME=ABC|UAID=0|TABLE_OWNER=STAGE|TABLE_NAME=NFMDAT|PARTITION_POSITION=6|PARTITION=P2018|HIGH_VALUE=TTO_DATE(' 2019-01-01 00:00:00', 'SYYYY-MM-DD HH24:MI:SS', 'NLS_CALENDAR=GREGORIAN')|PREV_HIGH_VALUE=TTO_DATE(' 2018-01-01 00:00:00', 'SYYYY-MM-DD HH24:MI:SS', 'NLS_CALENDAR=GREGORIAN') Second type ------------------------------------------------- Timestamp=26/SEP/2018 16:01:06 UTC|DBA_GROUP=X2Oracle_GFS|TOWER=GFS|DB_INSTANCE_NAME=ecs02prd|DB_HOST_NAME=ASD|UAID=UDBID-15360|TABLE_OWNER=ECSREFRESH_EXCEPTION|TABLE_NAME=ECS_TRAN_AUDIT_HSTR_BKP|PARTITION_POSITION=27|PARTITION=ECSTRANAUDTHSTR_20170430|HIGH_VALUE=TIMESTAMP' 2017-05-01 00:00:00'|PREV_HIGH_VALUE=TIMESTAMP' 2017-04-01 00:00:00' partition_check_En_Time=12:01:07 PM End_Time: Wed Sep 26 12:01:07 EDT 2018 </CODE></PRE> <P>I used the below query to get the new field from above log.</P> <PRE><CODE>base search | eval Current_High_Value=substr(HIGH_VALUE, 11, 20) | eval Previous_High_Value=substr(PREV_HIGH_VALUE, 11, 20) </CODE></PRE> <P>I am getting value properly for Current_High_Value field but not getting complete data in Previous_High_Value. Its not picking data for second type of log.</P> Tue, 29 Sep 2020 21:26:35 GMT twh1 2020-09-29T21:26:35Z https://community.splunk.com/t5/Splunk-Search/How-do-I-fetch-data-from-an-existing-field/m-p/400753#M167411 <P>I have a field in my log which contains a huge text data with two different formats. I tried to catch a few parts in a new field but was unable to get all the data.</P> <PRE><CODE>First type ------------------------------------ Timestamp=26/SEP/2018 16:37:38 UTC|DBA_GROUP=X2Oracle_NSS|TOWER=NSS|DB_INSTANCE_NAME=lsrprod|DB_HOST_NAME=ABC|UAID=0|TABLE_OWNER=STAGE|TABLE_NAME=NFMDAT|PARTITION_POSITION=6|PARTITION=P2018|HIGH_VALUE=TTO_DATE(' 2019-01-01 00:00:00', 'SYYYY-MM-DD HH24:MI:SS', 'NLS_CALENDAR=GREGORIAN')|PREV_HIGH_VALUE=TTO_DATE(' 2018-01-01 00:00:00', 'SYYYY-MM-DD HH24:MI:SS', 'NLS_CALENDAR=GREGORIAN') Second type ------------------------------------------------- Timestamp=26/SEP/2018 16:01:06 UTC|DBA_GROUP=X2Oracle_GFS|TOWER=GFS|DB_INSTANCE_NAME=ecs02prd|DB_HOST_NAME=ASD|UAID=UDBID-15360|TABLE_OWNER=ECSREFRESH_EXCEPTION|TABLE_NAME=ECS_TRAN_AUDIT_HSTR_BKP|PARTITION_POSITION=27|PARTITION=ECSTRANAUDTHSTR_20170430|HIGH_VALUE=TIMESTAMP' 2017-05-01 00:00:00'|PREV_HIGH_VALUE=TIMESTAMP' 2017-04-01 00:00:00' partition_check_En_Time=12:01:07 PM End_Time: Wed Sep 26 12:01:07 EDT 2018 </CODE></PRE> <P>I used the below query to get the new field from above log.</P> <PRE><CODE>base search | eval Current_High_Value=substr(HIGH_VALUE, 11, 20) | eval Previous_High_Value=substr(PREV_HIGH_VALUE, 11, 20) </CODE></PRE> <P>I am getting value properly for Current_High_Value field but not getting complete data in Previous_High_Value. Its not picking data for second type of log.</P> Tue, 29 Sep 2020 21:26:35 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-fetch-data-from-an-existing-field/m-p/400753#M167411 twh1 2020-09-29T21:26:35Z https://community.splunk.com/t5/Splunk-Search/How-do-I-fetch-data-from-an-existing-field/m-p/400754#M167412 <P>You can use rex command to get Previous high value-</P> <P>rex field=PREV_HIGH_VALUE "\W+\s+(?\d{4}-\d{2}-\d{2})"</P> Tue, 29 Sep 2020 21:26:46 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-fetch-data-from-an-existing-field/m-p/400754#M167412 Vijeta 2020-09-29T21:26:46Z https://community.splunk.com/t5/Splunk-Search/How-do-I-fetch-data-from-an-existing-field/m-p/400755#M167413 <P>I have used below query and getting value properly.</P> <PRE><CODE>base search | eval Current_High_Value=substr(HIGH_VALUE, 11, 20) | rex "^(?:[^ \n]* ){5}(?P&lt;Pre_High_Value&gt;[^']+)" | eval Previous_High_Value= case(like(PREV_HIGH_VALUE, "TTO_DATE%"), substr(PREV_HIGH_VALUE, 11, 20), like(PREV_HIGH_VALUE, "TIMESTAMP%"), Pre_High_Value) </CODE></PRE> Thu, 27 Sep 2018 11:11:15 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-fetch-data-from-an-existing-field/m-p/400755#M167413 twh1 2018-09-27T11:11:15Z https://community.splunk.com/t5/Splunk-Search/How-do-I-fetch-data-from-an-existing-field/m-p/400756#M167414 <P>Thanks @Vijeta </P> Thu, 11 Oct 2018 16:58:08 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-fetch-data-from-an-existing-field/m-p/400756#M167414 twh1 2018-10-11T16:58:08Z