topic Re: multi field extraction form the logs in Splunk Search

multi field extraction form the logs

saravana22 — Mon, 18 Oct 2021 09:17:26 GMT

Hi Experts,

Am new to splunk..

I need to extract the fields which is in MSGTXT which are highlighted. Only when MSGTXT in this format(SZ5114RA 00 1045 .06 .0 165K 2% 9728K 3% 400M") as there are different type message text also in the logs

Example

SZ5114RA as A

00 as B

1045 as C

.06 as D

.0 as E

165K as F

2% as G

9728K as H

3% as I

400M as J

Please help..!! thank you

below is the Sample logs..

{"MFSOURCETYPE":"SYSLOG","DATETIME":"2021-10-16 02:24:47.53 +1100","SYSLOGSYSTEMNAME":"P01","JOBID":"SZ04","JOBNAME":"SZ04","SYSPLEX":"SYPLX1A","ACTION":"INFORMATIONAL","MSGNUM":"SZ5114RA","MSGTXT":"SZ5114RA 00 1045 .06 .0 165K 2% 9728K 3% 400M","MSGREQTYPE":""}

{"MFSOURCETYPE":"SYSLOG","DATETIME":"2021-10-16 02:24:47.54 +1100","SYSLOGSYSTEMNAME":"P01","JOBID":"SZ04","JOBNAME":"SZ04","SYSPLEX":"SYPLX1A","ACTION":"INFORMATIONAL","MSGNUM":"SZ04","MSGTXT":"SZ04 ENDED -SYS=P01 NAME=LIVE$SZ TOTAL CPU TIME= 12.4 TOTAL ELAPSED TIME= 47.2","MSGREQTYPE":""}

Re: multi field extraction form the logs

ITWhisperer — Mon, 18 Oct 2021 09:41:57 GMT

| rex field=MSGTXT "^(?<A>\S+)\s(?<B>\S+)\s(?<C>\S+)\s(?<D>\S+)\s(?<E>\S+)\s(?<F>\S+)\s(?<G>\S+)\s(?<H>\S+)\s(?<I>\S+)\s(?<J>\S+)$"

Re: multi field extraction form the logs

saravana22 — Mon, 18 Oct 2021 09:52:55 GMT

Thank you so much for your quick response

it's not extracted the fields 😞

Re: multi field extraction form the logs

ITWhisperer — Mon, 18 Oct 2021 09:55:55 GMT

OK try extracting from _raw

| rex "MSGTXT\":\s*\"(?<A>\S+)\s(?<B>\S+)\s(?<C>\S+)\s(?<D>\S+)\s(?<E>\S+)\s(?<F>\S+)\s(?<G>\S+)\s(?<H>\S+)\s(?<I>\S+)\s(?<J>\S+)\""

Re: multi field extraction form the logs

saravana22 — Mon, 18 Oct 2021 10:33:37 GMT

Tried with _raw as well.. Still no changes..