Re: how to extract a particular field value and di...

mrr6892 · ‎05-13-2020

I got a requirement to extract " response_time: " field value from all logs and display table with name cf_rt I tried creating new field but its not returning data from all matching case. please advise.

Log format:

response_time:0.091901 gorouter_time:0.000400 app_id:"038e332a-4423-426b-9693-2488eafcd37d"

vnravikumar · ‎05-14-2020

Hi

Give a try with this rex

| makeresults 
| eval _raw="x_forwarded_proto:\"https\" vcap_request_id:\"2978162c-8dcc-47cb-ad10- e73187c36896\" response_time:1.833375 gorouter_time:0.000280 app_id:\"fd22e808-539c-4003-b221-cdc42aa03dbb\" app_index:\"0\" x_b3_traceid:\"12474aa9e6d47857\" x_b3_spanid:\"d3745ed0d25bd8d3\" x_b3_parentspanid:\"12474aa9e6d47857\" b3:\"12474aa9e6d47857- d3745ed0d25bd8d3-1-12474aa9e6d47857\" " 
| rex "response_time:(?P<response_time>\S+)"

mrr6892 · ‎05-13-2020

mrr6892 · ‎05-13-2020

how can we display yellow highlighted key value in table

to4kawa · ‎05-13-2020

your search
| raname msg as _raw
| extract pairdelim=" " kvdelim=":"
| rename response_time as cf_rt

mrr6892 · ‎05-13-2020

how can we display yellow highlighted key value from all events in to table

to4kawa · ‎05-13-2020

I see, my answer is updated.

mrr6892 · ‎05-13-2020

thanks i am able to pull the data but not able to rename the _raw column it should be renamed as msg when i did that my response time values are not showing in table.

to4kawa · ‎05-13-2020

I'm not sure, please use a regular expression.

how to extract a particular field value and display in table with different column name

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...