https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/636248#M220959 <P>Thanks&nbsp;<SPAN>gcusello, this really helps.<BR />I am getting values which are prior to , in messages but messages are having thousands of count and those in below pattern. How can I get whole value. Update value on below page.<BR /><A href="https://regex101.com/r/aPEZ6B/1" target="_blank">https://regex101.com/r/aPEZ6B/1</A><BR /></SPAN></P><P><SPAN>Sample -<BR />2023-03-21 04:14:13.859, queue_name:stream-AccountProfile, messages: 16,2303, bytes: 13 KiB, actCusumers: 4, numSubjects: 1<BR />2023-03-21 04:14:13.859, queue_name:stream-SampleProfile, messages: 3,522, bytes: 2.4 MiB, actCusumers: 4, numSubjects: 1<BR /></SPAN></P> Tue, 28 Mar 2023 06:16:09 GMT drogo 2023-03-28T06:16:09Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/635469#M220778 <P>Hello, I want to extract fiends from below log format. Can someone please help.<BR /><BR /></P> <P><U>Log format -</U></P> <P>2023-03-21 04:14:13.859, queue_name:stream-AccountProfile, messages: 16, bytes: 13 KiB, actCusumers: 4, numSubjects: 1<BR />2023-03-21 04:14:13.859, queue_name:stream-SampleProfile, messages: 3,522, bytes: 2.4 MiB, actCusumers: 4, numSubjects: 1</P> <P>Fields I want to extract are queue name,&nbsp;messages,&nbsp;actCusumers,&nbsp;numSubjects.&nbsp;</P> <P>I am using below eval commands but looks like I am not getting all logs, also getting duplicate events.</P> <P>I am want to extract only latest ones.</P> <P><U>Query -&nbsp;</U></P> <P>| eval ArrayAttrib=split(_raw,",")<BR />| eval numSubjects=mvindex(split(mvindex(ArrayAttrib,-1) ,": "),1)<BR />| eval actConsumers=mvindex(split(mvindex(ArrayAttrib,-2) ,": "),1)<BR />| eval bytes=mvindex(split(mvindex(ArrayAttrib,-3) ,": "),1)<BR />| eval messages=mvindex(split(mvindex(ArrayAttrib,-4) ,": "),1)<BR />| eval stream=mvindex(split(mvindex(ArrayAttrib,-5) ,":"),1)<BR />| eval dtm=strftime(_time,"%Y-%m-%d %H:%M")<BR />| stats max(dtm) by stream numSubjects actConsumers bytes messages<BR />| fields "stream", "messages", "actConsumers", "numSubjects", "max(dtm)"<BR />| dedup "messages" | dedup "stream" | sort "stream"</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 22 Mar 2023 15:37:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/635469#M220778 drogo 2023-03-22T15:37:50Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/635470#M220779 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254896">@drogo</a>&nbsp;,</P><P>what's your problem rexes to extract fields?</P><P>if this is your issue, you can use this regex</P><LI-CODE lang="markup">| rex "queue_name:\s*(?&lt;queue_name&gt;[^,]+),\s+messages:\s*(?&lt;messages&gt;[^,]+),.*bytes:\s*(?&lt;bytes&gt;[^,]+),\s*actCusumers:\s*(?&lt;actCusumers&gt;[^,]+),\s*numSubjects:\s*(?&lt;numSubjects&gt;\d+)"</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/aPEZ6B/1" target="_blank">https://regex101.com/r/aPEZ6B/1</A></P><P>Ciao.</P><P>Giuseppe</P> Wed, 22 Mar 2023 08:42:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/635470#M220779 gcusello 2023-03-22T08:42:36Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/635473#M220782 <P>Try extracting the fields this way (note the renames are required because your sample data doesn't match the field names you are using and I have assumed _time has been extracted properly already)</P><LI-CODE lang="markup">| extract pairdelim="," kvdelim=":" | rename queue_name as stream | rename actCusumers as actConsumers | stats max(_time) as _time by stream numSubjects actConsumers bytes messages</LI-CODE><P>&nbsp;The dedups you have used would have kept the first event for each messages (given that this appears to be just a count(?) you will have lost some data here). This could have been further reduced by the next dedup if you had more than one different messages value for a stream.</P><P>What is it that you are actually trying to determine from your events?</P> Wed, 22 Mar 2023 08:59:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/635473#M220782 ITWhisperer 2023-03-22T08:59:54Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/636248#M220959 <P>Thanks&nbsp;<SPAN>gcusello, this really helps.<BR />I am getting values which are prior to , in messages but messages are having thousands of count and those in below pattern. How can I get whole value. Update value on below page.<BR /><A href="https://regex101.com/r/aPEZ6B/1" target="_blank">https://regex101.com/r/aPEZ6B/1</A><BR /></SPAN></P><P><SPAN>Sample -<BR />2023-03-21 04:14:13.859, queue_name:stream-AccountProfile, messages: 16,2303, bytes: 13 KiB, actCusumers: 4, numSubjects: 1<BR />2023-03-21 04:14:13.859, queue_name:stream-SampleProfile, messages: 3,522, bytes: 2.4 MiB, actCusumers: 4, numSubjects: 1<BR /></SPAN></P> Tue, 28 Mar 2023 06:16:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/636248#M220959 drogo 2023-03-28T06:16:09Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/636251#M220960 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>,<BR />I got the solution, thanks for your help!<BR /><A href="https://regex101.com/r/aPEZ6B/1" target="_blank">https://regex101.com/r/aPEZ6B/1</A>&nbsp;</P> Tue, 28 Mar 2023 06:41:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/636251#M220960 drogo 2023-03-28T06:41:42Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/636252#M220961 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254896">@drogo</a>,</P><P>please try this:</P><LI-CODE lang="markup">^(?&lt;_time&gt;[^,]+),\s+queue_name:\s*(?&lt;queue_name&gt;[^,]+),\s+messages:\s*(?&lt;messages&gt;.+),.*bytes:\s*(?&lt;bytes&gt;[^,]+),\s*actCusumers:\s*(?&lt;actCusumers&gt;[^,]+),\s*numSubjects:\s*(?&lt;numSubjects&gt;\d+)</LI-CODE><P>that you can test at&nbsp;<A href="https://regex101.com/r/aPEZ6B/2" target="_blank">https://regex101.com/r/aPEZ6B/2</A></P><P>Ciao.</P><P>Giuseppe</P> Tue, 28 Mar 2023 06:42:57 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-fields-from-txt-format/m-p/636252#M220961 gcusello 2023-03-28T06:42:57Z