topic Re: Extracting multiple fields from events in Splunk Search

Extracting multiple fields from events

bharpur183 — Tue, 29 Sep 2020 15:36:23 GMT

I want to extract 2 separate fields from the below events :

the event is :

2017-09-01T23:50:49.325-04:00 INFO m_gchgserv_gchg.cpp(2264)[8] GCHG::sendGchgUpdate() - 808998798 type: 0 note:
Completed {FIFW GCHG 12345}: NETS: TOY-HK1 relocate PCCW 10G circuit from jr4 to jrf3 (Physical work)
Scheduled : 09/02/2017 03:08 GMT to 09/02/2017 03:50 GMT
Rep : EDDIE CHOY
Approver : HIDETOSHI NAGAO
Note: Work will be swung from jrf4 to jrf3 for diversity purpose.

From the event I want to extract the ticket #
which in this case is {FIFW GCHG 12345}:
and then the Note
which is Note: Work will be swung from jrf4 to jrf3 for diversity purpose.

The thing is both these fields keep changing from time to time. Ticket # changes and work description changes as well.
But I want the regex in a way that whatever is put under those 2 fields shows up in a dashboard

Re: Extracting multiple fields from events

cpetterborg — Mon, 04 Sep 2017 00:13:36 GMT

You haven't said if you want this for using in a search, or in a props.conf, so I'm going to assume the former, but the regex can be applied to the latter as well.

Try this:

... | rex "(?P<case>{[^}]+})[\s\S]+(?P<note>Note:.*)"

Re: Extracting multiple fields from events

bharpur183 — Mon, 04 Sep 2017 00:25:40 GMT

Thanks @cpetterborg . the above worked but only getting the ticket or case number the note description or regex did extract anything

Re: Extracting multiple fields from events

bharpur183 — Mon, 04 Sep 2017 00:42:41 GMT

my bad , I missed it . I can see the note now.

One more thing in the above I have another section that says status , which shows if the case or ticket is in progress or completed.

1 . How can I sort them to show the in progress on the and the completed after that?
2. Is it possible to color code the in-progress and completed events ?

the entire search string is :

(index=guts* contextName::gchg) AND (Completed AND NOTE) sourcetype=gchgserv source="/bb/intntwk/logs/gchgserv.log.20170901" contextName=gchg Status="" | iconify Status | rex "(?P{[^}]+})[\s\S]+(?PNote:.)"| table Ticket,Status,note

Re: Extracting multiple fields from events

cpetterborg — Mon, 04 Sep 2017 01:30:28 GMT

Can you give an example of the event that has "status" in it?

Does it have the case number in that event as well?

Regarding your questions:

If you sort by time, it should have the last one that is the current status, but it may depend on what you data looks like to see what needs to be done. Example data is helpful.
Yes, you can color code things, and this is a case that you can color code. It is a bit more complicated thing to do, but let's see what your additional example data gives us.

Re: Extracting multiple fields from events

bharpur183 — Tue, 29 Sep 2020 15:36:25 GMT

Yea. I was able to sort it based on time.
If color coding is possible that will be great

the event is :

2017-09-01T23:50:49.325-04:00 INFO m_gchgserv_gchg.cpp(2264)[8] GCHG::sendGchgUpdate() - 808998798 type: 0 note:
Completed {FIFW GCHG 12345}: NETS: TOY-HK1 relocate PCCW 10G circuit from jr4 to jrf3 (Physical work)
Scheduled : 09/02/2017 03:08 GMT to 09/02/2017 03:50 GMT
Rep : Ray Choy
Approver : Chig Chiot
Note: Work will be swung from jrf4 to jrf3 for diversity purpose.

So in the above :
where it says Completed, that the status
The case # is {fifw gchg 12345}

The status changes from in-progress to completed. so want to code code them separately

Re: Extracting multiple fields from events

cpetterborg — Mon, 04 Sep 2017 02:04:18 GMT

So assuming that the progress comes just before the case number:

... | rex "(?P<status>.*)\s(?P<case>{[^}]+})[\s\S]+(?P<note>Note:.*)"

Then, if all the related events have the case number, you can group them into a single even to look at with the transaction command:

... | rex "(?P<status>.*)\s(?P<case>{[^}]+})[\s\S]+(?P<note>Note:.*)" | transaction case

I'm not sure if it will help what you want, but that will group everything by case. If you are only wanting to get the most recent value to see the status, use:

... | rex "(?P<status>.*)\s(?P<case>{[^}]+})[\s\S]+(?P<note>Note:.*)" | stats latest status by case

Then the color coding is dependent on how you want to display the data and what the possible values are, for example, if there are more than just in progress and completed.

Re: Extracting multiple fields from events

bharpur183 — Mon, 04 Sep 2017 02:14:44 GMT

I want to display them by status "in-progress" and "Completed"

Re: Extracting multiple fields from events

cpetterborg — Mon, 04 Sep 2017 12:47:05 GMT

Coloring the cells of a table is beyond the scope of the question you originally asked, but here is a link to documentation that should be of help:

https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Viz/TableFormatsXML

If you are going to color code the status of the cases, the note is useless unless it is exactly the same for all the instances of the case throughout the events. If the note will be the same, then you can use a the stats command slightly differently:

 ... | rex "(?P<status>.*)\s(?P<case>{[^}]+})[\s\S]+(?P<note>Note:.*)" | stats latest status by case, note | sort status

If you need further help with the color coding of the event data, submit a new question here in Answers to address it. Please be specific in what you want to display and how to display if it you do. Also it's good to mention the version of Splunk you are using, especially if it isn't a very recent version.

If I've answered your question here, please accept the answer so that others finding this question will know that it was answered successfully.