topic Re: How to extract a field that is changing position in the logs? in Splunk Search

How to extract a field that is changing position in the logs?

omuelle1 — Mon, 24 Oct 2016 16:47:41 GMT

Hi,

I am trying to extract a field that is changing position in the logs and cannot figure out how to extract it.

"<"BusinessPartnerCode>005003"<"/BusinessPartnerCode> (without the quotes)

The entry looks like above and I am trying to get the numbers in between and name the field. When I mark it with the Splunk Field tool it doesn't work correctly, since the entry changes positions in the events.

Thank you.

Oliver

Re: How to extract a field that is changing position in the logs?

sundareshr — Mon, 24 Oct 2016 16:50:47 GMT

Is it always the same number? Is it always 6 digits? Please share some sample events.

Re: How to extract a field that is changing position in the logs?

omuelle1 — Mon, 24 Oct 2016 16:53:34 GMT

The number is changing but it's always 6 digits.

Re: How to extract a field that is changing position in the logs?

gokadroid — Mon, 24 Oct 2016 16:54:32 GMT

try:

If it only had quotes at the end like mentioned in question 005003"

yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

If it has quote at start and at end "005003"` try:

yourBaseSearch
| rex "\"\<\"BusinessPartnerCode\>\"(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

Re: How to extract a field that is changing position in the logs?

TStrauch — Mon, 24 Oct 2016 16:57:09 GMT

Add this to the sourcetype stanza in props.conf

EXTRACT-bpc = \<BusinessPartnerCode\>(?<BusinessPartnerCode>\d{6})\<\/BusinessPartnerCode\>

Or you take the way above for extraction during the search.

Re: How to extract a field that is changing position in the logs?

omuelle1 — Mon, 24 Oct 2016 18:03:16 GMT

Thank you. Actually my number does not have any quotes (just had to put them there because the Splunk website wouldn't allow the brackets otherwise).

Would this be the correct version without quotes?

| rex "\"<\"BusinessPartnerCode>(?[^\"]+)<\"\/BusinessPartnerCode>"

Re: How to extract a field that is changing position in the logs?

gokadroid — Mon, 24 Oct 2016 18:11:33 GMT

I was riding the same boat as you few days ago. Use the "code Sample" formatting button from text editor whenever you are putting a text which splunk website is messing up for tags. So for example If i type below, then select it and press "Code Sample" button, it will appear as follows:

rex "\"\<\"BusinessPartnerCode\>(?<businessCode>[^\"]+)\"\<\"\/BusinessPartnerCode\>"

If I type without highlighting and formatting it as "Code Sample" it looks like below:
rex "\"<\"BusinessPartnerCode>(?[^\"]+)\"<\"\/BusinessPartnerCode>"

See how ?<businessCode> disappears in above in comparison to code sample piece.
So use "Code Sample" button and give the exact sample of line for which you want the regex to be modified and I can paste it here in response.

However if there are no quotes in your sample above and your sample then is below:

<BusinessPartnerCode>005003</BusinessPartnerCode>

Then you can use this regex:

 | rex "\<BusinessPartnerCode\>(?<businessCode>[^\<]+)\<\/BusinessPartnerCode\>"

Re: How to extract a field that is changing position in the logs?

omuelle1 — Mon, 24 Oct 2016 18:15:30 GMT

Got you, I was wondering what was the trick. Thank you very much.

<BusinessPartnerCode>001999</BusinessPartnerCode>

So what would be the regex without all the quotes? The one I posted isn't highlighting the the 6 digit code.

Re: How to extract a field that is changing position in the logs?

gokadroid — Mon, 24 Oct 2016 18:31:04 GMT

| rex "\<BusinessPartnerCode\>(?<businessCode>[^\<]+)\<\/BusinessPartnerCode\>"

I had pasted it above as well in the ending part of the comment later on.

OR alternatively if you wanna focus on the digits part (as above extracts everything till it enounters <, use below. Either should work

| rex "\<BusinessPartnerCode\>(?<businessCode>\d{6})\<\/BusinessPartnerCode\>"