topic Re: Filed extraction in Splunk Search

Filed extraction

moinoddinyadgir — Thu, 18 Apr 2024 10:08:32 GMT

Hi Community,

I have a question about regex and extraction

I have _raw data in 2 rows/lines (key and value) and I have to extract filed with key and value

e.g :
row 1 : Test1 Test2 Test3 Test4 Test5 Test6 Test7 Test8 Test9 Test10
row 2: 101 102 103. 104. 105. 106. 107. 108. 109. 110

I have to extract only Test7 from above log and have print it's value in table

Pls help me

Regards,
Moin

Re: Filed extraction

gcusello — Thu, 18 Apr 2024 11:09:23 GMT

try using kvform (https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/Kvform )

Ciao.

Giuseppe

Re: Filed extraction

deepakc — Thu, 18 Apr 2024 11:47:36 GMT

This is an example using makeresults and rex

| makeresults | eval _raw="Test1=101,Test2=102,Test3=103,Test4=104,Test5=105,Test6=106,Test7=107,Test8=108,Test9=109,Test101=110" | makemv _raw delim="," | rex field=_raw "(?<field>Test7)=(?<value>\d+)" | table field value

Re: Filed extraction

moinoddinyadgir — Thu, 18 Apr 2024 11:49:02 GMT

@deepakc
Thank you for reply.

_raw data is not static it going to change every minute.
could u pls let know how to use "eval" for data which going to be changed.

Re: Filed extraction

yuanliu — Sat, 20 Apr 2024 05:18:06 GMT

Do you mean to say that each event contains a row of headers and another row of values like the following?

Test1 Test2 Test3 Test4 Test5 Test6 Test7 Test8 Test9 Test
10 101 102 103. 104. 105. 106. 107. 108. 109. 110

The easiest is like @gcusello suggested, create a form to match this format, then use kvform.

No matter which method you use, you have to answer one question: What is the delimiter? Obviously there is no comma. But it is totally unclear whether the delimiter would be one space character, one tab character, or any number of white space characters can be interpreted as one delimiter. Suitable solution can be different when delimiter is different.

Here I illustrate a solution without using kvform that works with any number of white spaces between fields.

| rex mode=sed "s/\n/::/ s/\s+/,/g s/::/ /" | multikv

Your sample data will give you

Test1	Test10	Test2	Test3	Test4	Test5	Test6	Test7	Test8	Test9
101	110	102	103.	104.	105.	106.	107.	108.	109.

As I said, this is just one possible solution, and is most suitable if the number of white spaces (and even type of white spaces) between fields cannot be predetermined AND that field names and values do not contain any white space.

Here is an emulation that you can play with and compare with real data

| makeresults | eval _raw = "Test1 Test2 Test3 Test4 Test5 Test6 Test7 Test8 Test9 Test10 101 102 103. 104. 105. 106. 107. 108. 109. 110" ``` data emulation above ```

Re: Filed extraction

PickleRick — Sat, 20 Apr 2024 06:12:47 GMT

If your data is always in the same order, as others already suggested, it's just matter of setting up either regex-based or delimiter-based extraction to find a value in given position.

But if the problem lies in the fact that column order can change (and is always determined by a header row in a file), only INDEXED_EXTRACTIONS can help because Splunk processes each event separately so it has no way of knowing which "format" particular row belongs go if different files had different header rows.