topic Re: How to Parse Results? in Splunk Search

How to Parse Results?

jfolland — Wed, 02 Feb 2011 00:29:05 GMT

I am interested in seeing only pieces of a message in the results. I would like to be able to run a search and return only a substring of the message. In sql, it would be something like "substring(message, charindex(message, 'somestringvalue'), somelength)" and thus my results would only contain the information I was interested in.

Is there a way to do this?

Re: How to Parse Results?

ziegfried — Wed, 02 Feb 2011 00:59:18 GMT

Probably the most straight-forward way to do this is to use a regular expression. It's quite easy to translate such a substring expression to regex. In order to see the altered message, you have to change the content of the _raw field.

eg.

substring(message, charindex(message, "foo"), 20)

would be translated as

sourcetype=mysourcetype | rex "(?<_raw>foo.{17})"

You can as well use the eval command to extract substrings, but there's no charindex equivalent available:

sourcetype=mysourcetype | eval _raw=substr(_raw, 5, 25)

Re: How to Parse Results?

mw — Wed, 02 Feb 2011 07:48:49 GMT

The answer can also depend on what you mean by substring. For presentation purposes, there are generally better mechanisms to carve up the raw data. If the relevant data is in fields then you can "table" them as well. Depending on the purpose, this can be prettier to look at:

fail* sourcetype=syslog | table pid, process