topic Re: Extracting a string from the search result in Splunk Search

Extracting a string from the search result

zeewagon — Tue, 29 Sep 2020 11:40:18 GMT

INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:EXCEL

Above is my search result, and I wanna extract the word 'Start' alone. Like using 'awk' in bash. How do I do this in splunk?

Re: Extracting a string from the search result

richgalloway — Thu, 03 Nov 2016 14:11:23 GMT

What is your current search? Do you want just "Start" or any word (like "Done") in that position?

For the latter, try

... | rex ":\s+(?<start>\w+)" | ...

Re: Extracting a string from the search result

somesoni2 — Thu, 03 Nov 2016 14:26:23 GMT

How about this (extracting as field Action)

your base search | rex "^\w+\s*:\s*(?<Action>\w+)"

Updated per latest sample data

your base search | rex "^(\S+\s){4}:\s(?<Action>\w+)"

Sample event

2016-11-04 06:32:50,120 [http-bio-8443-exec-10862] INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:HTML, Locale: en_US

Re: Extracting a string from the search result

zeewagon — Fri, 04 Nov 2016 05:17:45 GMT

But it is not displaying the string 'Start' alone. It displays the whole result 😞 I want it to display only 'Start'

Re: Extracting a string from the search result

gokadroid — Fri, 04 Nov 2016 05:27:26 GMT

I think what @somesoni2 has as regex will capture what u need in "Action" field. Can u see here that his regex works the way you want it, unless ur data is something else than the one u posted in question.

Re: Extracting a string from the search result

zeewagon — Tue, 29 Sep 2020 11:39:20 GMT

Okay.
Here is the correct data.

2016-11-04 06:32:50,120 [http-bio-8443-exec-10862] INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:HTML, Locale: en_US

I want the only 'Start' string to be displayed in the results. How could we do that @gokadroid @somesoni2 ?

Re: Extracting a string from the search result

richgalloway — Fri, 04 Nov 2016 13:22:13 GMT

Try this.

... | rex "INFO\s:\s(?<action>[^\s]+)" | ...

Re: Extracting a string from the search result

zeewagon — Tue, 29 Sep 2020 11:40:40 GMT

It is not working. I want only 'Start' to be displayed in the below line

2016-11-04 06:32:50,120 [http-bio-8443-exec-10862] INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:HTML, Locale: en_US

Re: Extracting a string from the search result

gokadroid — Fri, 04 Nov 2016 15:32:03 GMT

Since you wanted to work it like awk and looking at your new data:

Your word when separated by spaces comes at awk '{print $6}', so use the field index6 after applying the rex as below to get that: your base query | rex "^(?<index1>[\S]+)\s(?<index2>[\S]+)\s(?<index3>[\S]+)\s(?<index4>[\S]+)\s(?<index5>[\S]+)\s(?<index6>[\S]+)\s(?<index7>[\S]+)\s(?<index8>[\S]+)\s(?<index9>[\S]+)\s(?<index10>[\S]+)\s(?<index11>[\S]+)\s(?<index12>[\S]+)\s(?<index13>[\S]+)" |stats count by index6 See here

Your word when separated by ":" comes as the first word of awk -F":" '{print $4}' which needs another pipe of awk '{print $1}'since "Start" is the first word of 4th index, hence find that piece as index4 below after applying rex: ...| rex "^(?<index1>[^\:]+)\:(?<index2>[^\:]+)\:(?<index3>[^\:]+)\:\s(?<index4>[\S]+)\s(?<index5>[^\:]+)\:(?<index6>[^\:]+)\:(?<index7>[^\:]+)\:(?<index8>[^\:]+)\:\s*(?<index9>[^\s]+)" | stats count by index4 See here.

Re: Extracting a string from the search result

richgalloway — Fri, 04 Nov 2016 20:24:41 GMT

On regex101.com, that rex command puts "Start" into the 'action' field.