Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field Extraction, message separated by spaces

christinaef07
Loves-to-Learn Everything
‎12-07-2020 08:52 AM

Hi everyone, I need some help with extracting the field 'message' from my logs coming to splunk. Right now, I am able to see this field coming in as :

message=job py process completed successfully

 When I extract this field, message, only 'job' is coming through. I am assuming this is because splunk can only read the first word, since they are all being seperated by spaces. Any way that I can fix this through Splunk or is this something I need to fix when formatting my logs through my application code? 

Labels (1)
Labels
0 Karma
Reply

493669
Super Champion
‎12-07-2020 09:13 AM

@christinaef07 you can use below regex to extract whole string in message . below regex will extract everything after `message=` in message field.

...|rex "message(?<message>.*)"

 

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...
Top