Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Getting Data In
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do you extract fields from JSON logs?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
10-19-2018
10:00 AM
Hello,
I have the following JSON log event:
{ [-]
line: I 1019 15:40:22.873 UTC THREAD1: **linkerd 1.4.5** (rev=0280009ca71e0673108a3752763938017bda588f) built at 20180713-154546
source: stderr
tag: linkerd/e03c11099322
}
I want to extract the version of Linkerd given in this log. i.e., I want the following result: Field name: Linkerd version; value: 1.4.5
Pls help!!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
10-19-2018
10:35 AM
try this regex to extract linkerd version-
... |rex "linkerd\s(?<linkerd_version>[^\s]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
10-19-2018
10:35 AM
try this regex to extract linkerd version-
... |rex "linkerd\s(?<linkerd_version>[^\s]+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
10-19-2018
10:39 AM
Excellent! It gives me exactly what i want! Thank you so so much!!
Can you please tell me how you wrote this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
493669
Super Champion
10-19-2018
11:24 AM
Here rex command is used to extract field values
Explanation:
linkerd\s here \s indicates space so it will find word-linkerd in raw events
[^\s]+ It will check after linkerd\s until it will find any space
(?<linkerd_version> then it will store extracted value in field name linkerd_version
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
moizmmz
Path Finder
10-19-2018
12:03 PM
Thank you thank you thank you!!!!!!
Get Updates on the Splunk Community!
Cisco Catalyst Center Meets Splunk ITSI: From 'Payments Are Down' to Root Cause in ...
The Problem: When Networks and Services Don't Talk
Payment systems fail at a retail location. Customers are ...
Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore
Are you ready to uncover the threats hiding in plain sight?
Join us for "Print, Leak, Repeat: UEBA Insider ...
New Year, New Changes for Splunk Certifications
As we embrace a new year, we’re making a small but important update to the Splunk Certification ...
