topic Need help to extract field from raw in Splunk Search

Need help to extract field from raw

bhaskar5428 — Fri, 04 Apr 2025 11:38:33 GMT

Please find the below attached screenshot and data sample i need to create 5 felids
problem statement - old splunk query not working as logging pattern got changed

3/28/25
10:04:25.685 PM

2025-03-28T22:04:25.685Z INFO 1 --- [ool-1-thread-11] c.d.t.l.s.s.e.e.NoopLoggingEtlEndpoint : Completed generation for [DE, 2025-03-28, LOAN_EVENT_SDP, 1]. Number of records: 186

host = lonhybridapp03.uk.db.com
source = /var/log/pods/ls2_ls2-intraday-sdp-86854ff574-48dgp_830e2ef9-56be-4996-ae21-127366a78515/ls2-intraday-sdp/0.log
sourcetype = kube:container:ls2-intraday-sdp

Need below

index=*1644* container_name="ls2-sdp-java" $selected_countries$
| rex field=_raw "country=(?P<country>\w+)" (DE)
| rex field=_raw "sdpType=(?P<sdpType>\w+)" (LOAN_EVENT_SDP)
| rex field=_raw "cobDate=(?P<cobDate>\w+)" (2025-03-28)
| rex field=_raw "record-count: (?P<Recordcount>\w+)" (186)
| rex field=_raw "\[(?<dateTime>.*)\] \{Thread" (2025-03-28T22:04)
| eval DateTime=strptime(dateTime, "%Y-%m-%dT%H:%M:%S,%N")
| eval CreatedTime=strftime(DateTime, "%H:%M")
| eval CreatedDate=strftime(DateTime, "%Y-%m-%d")

above SPL has old query , can you please help me with new rex pattern to extract these fields

For clear understanding i have attached required fields in screenshot

Re: Need help to extract field from raw

richgalloway — Fri, 04 Apr 2025 13:03:31 GMT

Perhaps this will help.

index=*1644* container_name="ls2-sdp-java" $selected_countries$ | rex field=_raw "for \[(?P<country>\w+),\s*(?P<cobDate>\w+),\s*(?P<sdpType>\w+)" | rex field=_raw "records: (?P<Recordcount>\w+)" | rex field=_raw "^(?<dateTime>\S+)" | eval DateTime=strptime(dateTime, "%Y-%m-%dT%H:%M:%S.%3N%Z") | eval CreatedTime=strftime(DateTime, "%H:%M") | eval CreatedDate=strftime(DateTime, "%Y-%m-%d")

Re: Need help to extract field from raw

bhaskar5428 — Fri, 04 Apr 2025 12:22:26 GMT

Not working , But if use single and try for single Country its working
please help

also what is use of

| rex field=_raw "^\S+"

Re: Need help to extract field from raw

bhaskar5428 — Fri, 04 Apr 2025 12:24:18 GMT

Not working , please help

| rex field=_raw "^\S+"

Re: Need help to extract field from raw

richgalloway — Fri, 04 Apr 2025 13:04:16 GMT

Please try my updated query.

Re: Need help to extract field from raw

livehybrid — Fri, 04 Apr 2025 22:22:38 GMT

Hi @bhaskar5428,

Check out the following:

index=*1644* container_name="ls2-sdp-java" $selected_countries$ | rex field=_raw "\[(?<country>[^,]+),\s(?<cobDate>[^,]+),\s(?<sdpType>[^,]+)," | rex field=_raw "Number of records:\s*(?<Recordcount>\d+)" | rex field=_raw "^(?<dateTime>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z)" | eval DateTime=strptime(dateTime, "%Y-%m-%dT%H:%M:%S.%NZ") | eval CreatedTime=strftime(DateTime, "%H:%M") | eval CreatedDate=strftime(DateTime, "%Y-%m-%d")

Example with makeresults:

| makeresults | eval _raw="2025-03-28T22:04:25.685Z INFO 1 --- [ool-1-thread-11] c.d.t.l.s.s.e.e.NoopLoggingEtlEndpoint : Completed generation for [DE, 2025-03-28, LOAN_EVENT_SDP, 1]. Number of records: 186" | rex field=_raw "\[(?<country>[^,]+),\s(?<cobDate>[^,]+),\s(?<sdpType>[^,]+)," | rex field=_raw "Number of records:\s*(?<Recordcount>\d+)" | rex field=_raw "^(?<dateTime>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z)" | eval DateTime=strptime(dateTime, "%Y-%m-%dT%H:%M:%S.%NZ") | eval CreatedTime=strftime(DateTime, "%H:%M") | eval CreatedDate=strftime(DateTime, "%Y-%m-%d") | table _raw dateTime country cobDate sdpType Recordcount CreatedTime CreatedDate

🌟 Did this answer help you? If so, please consider:

Adding kudos to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing