All Apps and Add-ons

I am not able to extract the value from an event

ashukp
Loves-to-Learn Lots

search query 
|table error_name

event
error_code=400||error_name=ErrorMsg: Internal Server Error

Output
ErrorMsg:

I should get the output as 
ErrorMsg: Internal Server Error

Labels (1)
Tags (1)
0 Karma

ashukp
Loves-to-Learn Lots

Thanks it worked.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ashukp,

if this answer solves your need, please, accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ashukp,

let me understand what's uour problem: yo uaven't any result or you have only "error_name=ErrorMsg:"?

probably there's an error in field extraction caused by the space in the string.

Splunk automatically extract fields when finds field=value, but if there's a space thinks that the value is only the first part of the string.

If you share a sample of your log, I could help you in the regex creating.

Ciao.

Giuseppe

0 Karma

ashukp
Loves-to-Learn Lots

This is the sample format. Yes there is a space.
error_code=400||error_name=ErrorMsg: Internal Server Error

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ashukp,

if this is your full event log, please try this regex:

| rex "error_name\=(?<error_name>.*)"

that you can test at https://regex101.com/r/b0ZBaA/1

Obviously, if your event is different (e.g. something other at the end), this regex isn't still correct (for this reason I asked a sample of your log!).

Ciao.

Giuseppe

0 Karma