Solved: Re: How to covert raw log to specific fields

splunklearner99 · ‎12-04-2022

Hello Champs..

One of the splunk log is having below field

Text: XCOM: File Receive ended REQ 086094, Remote LU 10.38.46.122, File $PRD10.C221130A Remotefile /ABC/APP1/OUT/C221130A 63465 bytes, 578 records in 38875 microsec

I want to extract File_name = $PRD10.C221130A and Remote_file = /ABC/APP1/OUT/C221130A and records = 578 from above Text filed. How this can be done? Please help

ITWhisperer · ‎12-05-2022

Try this - note the ? after the .+

| rex "File\s(?<File_name>\S+)\s*Remotefile\s(?<Remote_file>\S+).+?(?<records>\d+)\srecords"

View solution in original post

ITWhisperer · ‎12-05-2022

| rex "File\s(?<File_name>\S+)\s*Remotefile\s(?<Remote_file>\S+).+(?<records>\d+)\srecords"

splunklearner99 · ‎12-05-2022

Thanks @ITWhisperer , the query is giving below result

File_name = $PRD10.C221130A

Remote_file = /ABC/APP1/OUT/C221130A

rerecords = 3

For records your query is taking the first byte of microsecond, expected 578 records

raw log: File $PRD10.C221130A Remotefile /ABC/APP1/OUT/C221130A 63465 bytes, 578 records in 38875 microsec

ITWhisperer · ‎12-05-2022

Try this - note the ? after the .+

| rex "File\s(?<File_name>\S+)\s*Remotefile\s(?<Remote_file>\S+).+?(?<records>\d+)\srecords"

splunklearner99 · ‎12-05-2022

thanks @ITWhisperer , Similarly would be able to help for thisText: CBM042 CEDBatch finished, Chg=B221205D, Recs=2581, Errs=8

Where I need

Status = CEDBatch finished

Records = 2581

Errors =9

Change = B221205D

@ITWhisperer

ITWhisperer · ‎12-05-2022

| rex "\w+\s(?<status>[^,]+), Chg=(?<change>\w+), Recs=(?<records>\d+), Errs=(?<errors>\d+)"

https://regex101.com/r/nbhKPz/1

How to covert raw log to specific fields?

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...