topic Re: Extract multiple fields and create table in Splunk Search

How to extract multiple fields and create a table?

bharat149 — Wed, 02 Aug 2023 19:56:26 GMT

02.08.2023 12:44:10.690 *INFO* [sling-threadpool-2cfa6523-0895-49ea-bb99-ae6f63c25cf6-32-Create Site from Template(aaa/jobs/abc)] bbb.CreateSiteFromSiteTemplateJobExecutor Private Site : ‘site4’ created by user : ‘admin’ with MRNumber : ‘dr4’

I want to extract site , user and DR number and create table

Re: Extract multiple fields and create table

ITWhisperer — Wed, 02 Aug 2023 09:12:52 GMT

You have been shown how to use rex before - how could you modify this to locate (anchor) the string that you want and extract the data into a field using a pattern?

Get customer ID form logs - Splunk Community

Re: Extract multiple fields and create table

bharat149 — Wed, 02 Aug 2023 09:37:43 GMT

i need splunk querry

Re: Extract multiple fields and create table

ITWhisperer — Wed, 02 Aug 2023 09:46:07 GMT

OK what rex command have you tried so far?

Re: Extract multiple fields and create table

bharat149 — Wed, 02 Aug 2023 10:22:07 GMT

sourcetype=log | rex "Private Site : ‘(?[^’]+)’ created by user : ‘(?[^’]+)’ with DRNumber : ‘(?[^’]+)’" | table site, user ,drnumber

Re: Extract multiple fields and create table

ITWhisperer — Wed, 02 Aug 2023 10:30:30 GMT

Looks like you just need to name the capture groups with the field names you want to use

sourcetype=log | rex "Private Site : '(?<site>[^']+)' created by user : '(?<user>[^']+)' with DRNumber : '(?<drumber>[^']+)'" | table site, user ,drnumber

By the way, it looks like the single quotes may have been changed when you pasted your example in. It is best to use code blocks </> as I have just done to ensure formatting and content changes don't occur when showing events and SPL code.

Re: Extract multiple fields and create table

bharat149 — Wed, 02 Aug 2023 10:39:55 GMT

Not working

Re: Extract multiple fields and create table

bharat149 — Wed, 02 Aug 2023 10:40:42 GMT

source="error1.log" host="Bharats-MacBook-Pro.local" sourcetype="test1" | rex "Private Site : '(?<site>[^']+)' created by user : '(?<user>[^']+)' with DRNumber : '(?<drNumber>[^']+)'"

Rex is not wokring all the logs are getting printed

Re: Extract multiple fields and create table

ITWhisperer — Wed, 02 Aug 2023 10:53:17 GMT

Your search doesn't appear to have any filtering so I would have expected all logs to have been shown

Re: Extract multiple fields and create table

bharat149 — Wed, 02 Aug 2023 10:58:34 GMT

How to selected only the rex events only

Re: Extract multiple fields and create table

ITWhisperer — Wed, 02 Aug 2023 11:10:11 GMT

You could add your anchor strings to the initial search

sourcetype=log "Private Site : " " created by user : " " with DRNumber :" | rex "Private Site : '(?<site>[^']+)' created by user : '(?<user>[^']+)' with DRNumber : '(?<drumber>[^']+)'" | table site, user ,drnumber