topic Re: how to extract 2 different values from a string and put it into 2 fields in Splunk Search

how to extract 2 different values from a string and put it into 2 fields

Tannawi_Chauha1 — Thu, 11 Aug 2016 07:44:45 GMT

My data looks like:

A is running
b is running

c is running

each events contain such kind of bunch of data. i want to create 2 fields capturing (A,B,C) in row and other capturing the corresponding status(running) in row.

please provide me needful help

thanks in advance

Re: how to extract 2 different values from a string and put it into 2 fields

inventsekar — Thu, 11 Aug 2016 12:16:06 GMT

your search | rex field=_raw "(?<first>\w)\sis\s(?<status>\w+)" | table first status

first column will have only one letter (a or b or .. ) or it can have a few letters (host1, etc )
status will have only "running" or what other values it can have (running, not running, failed, etc..)

Re: how to extract 2 different values from a string and put it into 2 fields

Tannawi_Chauha1 — Thu, 11 Aug 2016 12:24:33 GMT

there is no value under the table first status i.e not able to see any output

Re: how to extract 2 different values from a string and put it into 2 fields

inventsekar — Thu, 11 Aug 2016 12:37:46 GMT

the "status" is the variable i am using the extract the word "running".

Re: how to extract 2 different values from a string and put it into 2 fields

Tannawi_Chauha1 — Thu, 11 Aug 2016 12:44:26 GMT

so under the field name "status" running value should be populated but the table is blank. just one row is there having name which is captured under <>.

Re: how to extract 2 different values from a string and put it into 2 fields

inventsekar — Thu, 11 Aug 2016 12:50:37 GMT

i uploaded these sample events -
A is running
b is running
c is running
A is running
b is failed
c is running

i ran this query -

sourcetype=runningrex | rex field=_raw "(?<first>\w)\sis\s(?<status>\w+)" | table first status _raw

and i get this result -

first status _raw
c running c is running
b failed b is failed
A running A is running
c running c is running
b running b is running
A running A is running

Re: how to extract 2 different values from a string and put it into 2 fields

sundareshr — Thu, 11 Aug 2016 12:55:15 GMT

Try this

your search | rex field=_raw "(?<first>\w+)\sis\s(?<status>\w+)" | table first status

Re: how to extract 2 different values from a string and put it into 2 fields

Tannawi_Chauha1 — Thu, 11 Aug 2016 12:59:02 GMT

none of the solution give the desire output. all output are blank.

Splunk version 6.2.5 i am using, could this cause any problem

Re: how to extract 2 different values from a string and put it into 2 fields

sundareshr — Thu, 11 Aug 2016 13:07:21 GMT

Assuming these are individual events, try this.

*UPDATED based on real events*

your search | rex field=_raw "(?<device>[^\(]+)\(\d+\)\sis\s(?<status>\w+)" | table device status

Re: how to extract 2 different values from a string and put it into 2 fields

javiergn — Thu, 11 Aug 2016 14:25:18 GMT

Is this what you are trying to achieve?
Feel free to copy and paste into your search box or simply get rid of everything up to the rex and use the right name of your field there to try this out.

| makeresults | fields - _time
| eval sample = "
A is running;
b is running;
c is running;
D is stopped;
E is unreachable
"
| eval sample = split(sample, ";")
| mvexpand sample
| rex field=sample "(?<who>\w+).+?(?<status>\w+)$"
| table who, status

Output (see picture below):

Re: how to extract 2 different values from a string and put it into 2 fields

Tannawi_Chauha1 — Thu, 11 Aug 2016 19:40:46 GMT

actual data is like in place of
A is running;
b is running;
c is running;
D is stopped;
E is unreachable

is
'aaaa bbbb cccc dddd' (1234) is running.
'akdg ytdf tyui tyhj' (1245) is running.
.
.
.like this
so i have to capture only:- aaaa bbbb cccc dddd running in two different field. similary other values.

Re: how to extract 2 different values from a string and put it into 2 fields

sundareshr — Thu, 11 Aug 2016 19:45:38 GMT

@Tannawi.Chauhan try my updated answer

Re: how to extract 2 different values from a string and put it into 2 fields

Tannawi_Chauha1 — Thu, 11 Aug 2016 19:53:55 GMT

didn't work......:(
I think rex pattern is causing problem.
My data is like
'aaaa bbbb cccc dddd' (1234) is running.
'akdg ytdf tyui tyhj' (1245) is running.

so output should be in two different field
aaaa bbbb cccc dddd running
.
.
.
.

Re: how to extract 2 different values from a string and put it into 2 fields

sundareshr — Thu, 11 Aug 2016 19:56:02 GMT

See if you see the right values in the right panel in this site

https://regex101.com/r/mJ8iX9/1

Re: how to extract 2 different values from a string and put it into 2 fields

Tannawi_Chauha1 — Thu, 11 Aug 2016 20:25:31 GMT

didn't work

Re: how to extract 2 different values from a string and put it into 2 fields

javiergn — Thu, 11 Aug 2016 21:17:03 GMT

Then simply change the regex to:

| rex "\'(?<who>[^\']+)\'.+?(?<status>\w+)$"

Re: how to extract 2 different values from a string and put it into 2 fields

Tannawi_Chauha1 — Fri, 12 Aug 2016 07:16:36 GMT

none of the solution work out....:(

Re: how to extract 2 different values from a string and put it into 2 fields

javiergn — Fri, 12 Aug 2016 10:34:16 GMT

Can you post the query here?

This works fine for me:

| makeresults | fields - _time
| eval sample = "
'aaaa bbbb cccc dddd' (1234) is running;
'akdg ytdf tyui tyhj' (1245) is running
"
| eval sample = split(sample, ";")
| mvexpand sample
| rex field=sample "\'(?<who>[^\']+)\'.+?(?<status>\w+)$"
| table who, status

Output:

Re: how to extract 2 different values from a string and put it into 2 fields

Tannawi_Chauha1 — Fri, 12 Aug 2016 11:14:58 GMT

may i know which version of splunk you are using.....

Re: how to extract 2 different values from a string and put it into 2 fields

javiergn — Fri, 12 Aug 2016 11:57:40 GMT

Splunk Enterprise 6.4.1