topic Re: help me rex extraction in Splunk Search

help me rex extraction

sravankaripe — Wed, 09 Nov 2016 21:49:48 GMT

i want to extract the fields and values where field name start with dv_ . Please help me with field extraction on this case.

endpoint="https://xyz.com/",dv_activity_due="UNKNOWN",calendar_stc="1231961",approval="not requested",dv_urgency="4 - Low",u_department="",dv_u_category="None",opened_by="frsjytyghngfchyghgmhhmhmhj",dv_u_caused_by="None",dv_u_software_model="",closed_at="2016-11-09 21:24:09",activity_due="",dv_number="INC123456",urgency="7",dv_sys_created_on="2016-10-26 10:11:28",service_offering="",dv_service_offering="",dv_upon_reject="Cancel all future Tasks",parent="",work_notes="",parent_incident="",u_territory="",dv_u_area="None",u_loc_code="",dv_sys_tags="",dv_follow_up="",dv_u_node="",u_caller_phone="(000) 000-0000",dv_cmdb_ci="",dv_u_vendor="IBM",work_notes_list="",priority="5",upon_approval="proceed",dv_notify="Do Not Notify",comments="",dv_approval="Not Yet Requested",dv_watch_list="st-store0509.allmanager@kohls.com",dv_u_loc_code="",dv_business_stc="303,849",sys_created_by="eci_mtsa",reopen_count="0",dv_sys_updated_on="2016-11-09 15:24:09",dv_due_date="",dv_expected_start="",dv_sys_domain="global",correlation_id="L17SRR",impact="7",dv_time_worked="10 Minutes",dv_opened_by="MTSA Integration",u_caused_by="",u_ess_visibility="true",approval_set="",contract="",watch_list="st-user@company.com",additional_assignee_list="",dv_work_notes="2016-11-09 12:12:25 - MTSA Integration (Work notes)

Re: help me rex extraction

sk314 — Wed, 09 Nov 2016 22:12:26 GMT

Splunk should automatically extract key=value pairs in search time. Have you tried searching in Verbose mode first? (As long as KV_MODE=auto for the sourcetype)

Re: help me rex extraction

sravankaripe — Wed, 09 Nov 2016 22:44:45 GMT

i tried it. it dose not retrieving all the values.

Re: help me rex extraction

gokadroid — Wed, 09 Nov 2016 23:02:05 GMT

Try this, where sed is used first to replace any blank values \"\" in the dv_fields with a word "Blank" and the fields are extracted thereafter:

yourQuery to return the entire string in field stringValue
| rex mode=sed field=stringValue "s/\"\"/\"Blank\"/g"
| rex field=stringValue max_match=0 "(?<dvFieldName>(dv_[^=]+))\=\"*(?<dvFieldValue>[^\"]+)"
| eval kvPair=mvzip(dvFieldName, dvFieldValue, "~")
| mvexpand kvPair
| rex field=kvPair "(?<myField>[^~]+)\~(?<myValue>[^$]+)"
| table myField, myValue

Trial example to test the above query:

| makeresults| eval stringValue="endpoint=\"https://xyz.com/\",dv_activity_due=\"UNKNOWN\",calendar_stc=\"1231961\",approval=\"not requested\",dv_urgency=\"4 - Low\",u_department=\"\",dv_u_category=\"None\",opened_by=\"frsjytyghngfchyghgmhhmhmhj\",dv_u_caused_by=\"None\",dv_u_software_model=\"\",closed_at=\"2016-11-09 21:24:09\",activity_due=\"\",dv_number=\"INC123456\",urgency=\"7\",dv_sys_created_on=\"2016-10-26 10:11:28\",service_offering=\"\",dv_service_offering=\"\",dv_upon_reject=\"Cancel all future Tasks\",parent=\"\",work_notes=\"\",parent_incident=\"\",u_territory=\"\",dv_u_area=\"None\",u_loc_code=\"\",dv_sys_tags=\"\",dv_follow_up=\"\",dv_u_node=\"\",u_caller_phone=\"(000) 000-0000\",dv_cmdb_ci=\"\",dv_u_vendor=\"IBM\",work_notes_list=\"\",priority=\"5\",upon_approval=\"proceed\",dv_notify=\"Do Not Notify\",comments=\"\",dv_approval=\"Not Yet Requested\",dv_watch_list=\"st-store0509.allmanager@kohls.com\",dv_u_loc_code=\"\",dv_business_stc=\"303,849\",sys_created_by=\"eci_mtsa\",reopen_count=\"0\",dv_sys_updated_on=\"2016-11-09 15:24:09\",dv_due_date=\"\",dv_expected_start=\"\",dv_sys_domain=\"global\",correlation_id=\"L17SRR\",impact=\"7\",dv_time_worked=\"10 Minutes\",dv_opened_by=\"MTSA Integration\",u_caused_by=\"\",u_ess_visibility=\"true\",approval_set=\"\",contract=\"\",watch_list=\"st-store0509.allmanager@kohls.com\",additional_assignee_list=\"\",dv_work_notes=\"2016-11-09 12:12:25 - MTSA Integration (Work notes)\""
| rex mode=sed field=stringValue "s/\"\"/\"Blank\"/g"
| rex field=stringValue max_match=0 "(?<dvFieldName>(dv_[^=]+))\=\"(?<dvFieldValue>[^\"]*)"
| eval kvPair=mvzip(dvFieldName, dvFieldValue, "~")
| mvexpand kvPair
| rex field=kvPair "(?<myField>[^~]+)\~(?<myValue>[^$]+)"
| table myField, myValue

Re: help me rex extraction

gcusello — Thu, 10 Nov 2016 11:54:36 GMT

Hi sravankaripe,
Splunk recognize fields at search time when there is an equal (=) between field name and field value, so you can have without any activity al the fields and values.

I don't understand in your question, if you need to extract field names or field values.
If you need field names, you can use the following regex

(?<field_name>dv_[^\=]*)

if instead you want to have the values of all fields, you could use the following regex

dv_[^\=]*\=\"(?<field_name>[^\"]*)

Bye.
Giuseppe

Re: help me rex extraction

sravankaripe — Tue, 29 Sep 2020 11:44:25 GMT

i want to dispaly attribute name also like

ex:-

dv_activity_due = value1
dv_approval = value2
dv_business_duration = value3
dv_business_service = value4
dv_business_stc = value5

Re: help me rex extraction

sravankaripe — Thu, 10 Nov 2016 18:15:08 GMT

i am done thanks