Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to remove all words in an event except for certain ones and put them in a table?

lonelyknight
Observer
‎01-10-2023 08:10 PM

I have a event like this

02.09.2022; seller david address 434 xyz house price 20000  [color:green] {noffloors: 5] status sold

02.09.2022; seller lenin address 222 abc  house price 30000  [color:red] {noffloors: 7] status sold

Assuming address, price, color and noffloor are not indexed as fields. How do I obtain output like this ? I am thinking of using regex but i dnt know the exact experssion

address     price      color      nofloor

434 zyz    20000   green      5

222 abc    30000  red            7

 

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎01-10-2023 09:28 PM

This rex statement will extract the data based on your example events

| rex "address (?<address>.*) house price (?<price>\d+)\s+\[color:(?<color>[^\]]*)\]\s+\{noffloors:\s(?<noffloors>\d+)"

 but it's pretty rigid in that all fields must be in that format/order

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...