Getting Data In

Two different Deliminator for a field

AdixitSplunk
Path Finder

I have 2 types of Messages in my log
for 1st i want to split it from ":" deliminator
and for 2nd i want deliminator to be "for"

my base query is something like belwo :

.... Message1 OR Message2|eval delim=(if Message1, deliminator should be ":" ,if Message2 ,deliminator should be "for"| eval num=split(Message,"delim")|eval field=mvindex(num,0)|stats count by field

Please help me on this .

Thanks

Tags (2)
0 Karma

gokadroid
Motivator

How about you try this and take whichever one you are interested in out of preFix OR sufFix fields if your initial string is in field Message:

your query to return events
| rex field=Message "^(?<preFix>^.*?)(\s:\s|\sfor\s)(?<sufFix>.*)"
| table preFix, sufFix, Message

See here for the extraction at work. Notice the Group PreFix and Group SufFix on right sidebar after...

0 Karma

somesoni2
Revered Legend

Give this a try

.... Message1 OR Message2|eval delim=if(searchmatch("Message1"),split(Message,":"),split(Message,"for"))|eval field=mvindex(num,0)|stats count by field
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi AdixitSplunk,
why you don't use a regex extraction like this:

| rex "(:|for)\s(?<Message>.*)"

Bye.
Giuseppe

0 Karma

AdixitSplunk
Path Finder

Its not working 😞 , its only showing the last
Message are like :
Application photobuf message : dhfksdhkfhksdhfk hdfkshfskhfk dfhkshdfkshfhs
Application Data loaded successfully for Photo No - 123456789 ; OrderIPlaceno - 987654321

using | rex "(:|for)\s(?.)" is giving Photo No -1234

0 Karma

gcusello
SplunkTrust
SplunkTrust

modify regex

| rex max_match=0 "(:|for)\s(?<Message>.*)"

see https://regex101.com/r/nGhrLA/1

Bye.
Giuseppe

0 Karma

Arun_N_007
Communicator

Use match or like inside if condition to find message type based on that set the delim.

..| eval delim = if(like(_raw,"%:%"),":","for")

0 Karma

AdixitSplunk
Path Finder

can you please help me with the syntax here .

0 Karma

Arun_N_007
Communicator

|stats count|eval _raw="Application photobuf message : dhfksdhkfhksdhfk hdfkshfskhfk dfhkshdfkshfhs"|append [|stats count|eval _raw="Application Data loaded successfully for Photo No - 123456789 ; OrderIPlaceno - 987654321"]| eval delim = if(like(_raw,"%:%"),":","for")|eval _raw=split(_raw,delim)|eval split1=mvindex(_raw,0)|eval split2=mvindex(_raw,1)

0 Karma

jplumsdaine22
Influencer

Do you have some sample data? Are message1 and message2 text strings or field names? Are they in a field or do you need to extract from raw?

0 Karma

AdixitSplunk
Path Finder

Field name is Message.From Message1 and 2 i means to say different type of message.
So there are basically 2 types of Messages in field Message
Example :
1st Applicatio photobuf message : dfgjsdgfjsgd gsdkgfksdgf ksdgfksdgfk s--- for such message i want ":" as delim
2nd Application2:Photoinserted to somesets for an Account--- for these messages i want "for" as delim

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!