How to extract filed from text File

shugup2923 · ‎07-16-2019

Hi All,
I am reading text file from one of the server using UF, data in splunk looks like -

Total expected size 1042532502 MB
Name: (state) Number of copies: Size:

SLP-MEDIUM-DDX1_CATALOG_2W (inactive) 4 111676 MB
SLP-MEDIUM-DDX1_MSDP_CATALOG_2W (inactive) 17 1292279 MB
SLP-MEDIUM-DDXi_2W-DC2DXi_1M (inactive) 514 81442047 MB
SLP-MEDIUM-DDXi_2W-DC2DXi_1M_DC1 (inactive) 4746 525210649 MB
SLP-MEDIUM-DDXi_2W-DC2DXi_1MDC1 (inactive) 100 15054931 MB
SLP-MEDIUM-DDXi_3M-DC2DXi_1Y (inactive) 22 7815733 MB
SLP-MEDIUM-DDXi_3M-DC2DXi_1YDC1 (inactive) 9 1419550 MB
SLP-MEDIUM-DDX1_MSDP_CATALOG_2W (inactive) 6 <1 MB
SLP-MEDIUM-DDXi_2W-DC1DXi_1M (inactive) 74 8478513 MB
SLP-MEDIUM-DDXi_2W-DC1DXi_1MDC2 (inactive) 1196 105875404 MB
SLP-MEDIUM-DDXi_2W-DC1DXi_1MDC2 (inactive) 159 15961308 MB
SLP-MEDIUM-DDXi_3M-DC1DXi_1Y_DC2 (inactive) 50 3037526 MB
SLP-MEDIUM-DA_2W-DP2A_1M (active) 1170 25512602 MB
SLP-MEDIUM-DA_2W-DP2A_5W (inactive) 179 1939354 MB
SLP-MEDIUM-DD_2W-DP2D_1M (active) 3274 37605665 MB
SLP-MEDIUM-DE_2W-DP2E_1M (active) 990 90378841 MB
SLP-MEDIUM-DA_2W-DP1A_1M (active) 816 20788679 MB
SLP-MEDIUM-DA_2W-DP1A_5W (inactive) 56 168606 MB
SLP-MEDIUM-DD_2W-DP1D_1M (active) 2503 12663760 MB
SLP-MEDIUM-DE_2W-DP1E_1M (active) 816 87799167 MB

I need to extract fields out of this data such as Total expected size, Name: (state) ,Number of copies,Size

Any method to extract it out, please let me know ?

adonio · ‎07-17-2019

hello there,
you can use | rex command as shown below, or use the field extractor, see link:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/ExtractfieldsinteractivelywithIFX
you might have some challenges with the <1 value that will need extra work, highlighted in the screenshot

| makeresults count=1
| eval data = "SLP-MEDIUM-DDX1_CATALOG_2W (inactive) 4 111676 MB;;;SLP-MEDIUM-DDX1_MSDP_CATALOG_2W (inactive) 17 1292279 MB;;;SLP-MEDIUM-DDXi_2W-DC2DXi_1M (inactive) 514 81442047 MB;;;SLP-MEDIUM-DDXi_2W-DC2DXi_1M_DC1 (inactive) 4746 525210649 MB;;;SLP-MEDIUM-DDXi_2W-DC2DXi_1MDC1 (inactive) 100 15054931 MB;;;SLP-MEDIUM-DDXi_3M-DC2DXi_1Y (inactive) 22 7815733 MB;;;SLP-MEDIUM-DDXi_3M-DC2DXi_1YDC1 (inactive) 9 1419550 MB;;;SLP-MEDIUM-DDX1_MSDP_CATALOG_2W (inactive) 6 <1 MB;;;SLP-MEDIUM-DDXi_2W-DC1DXi_1M (inactive) 74 8478513 MB;;;SLP-MEDIUM-DDXi_2W-DC1DXi_1MDC2 (inactive) 1196 105875404 MB;;;SLP-MEDIUM-DDXi_2W-DC1DXi_1MDC2 (inactive) 159 15961308 MB;;;SLP-MEDIUM-DDXi_3M-DC1DXi_1Y_DC2 (inactive) 50 3037526 MB;;;SLP-MEDIUM-DA_2W-DP2A_1M (active) 1170 25512602 MB;;;SLP-MEDIUM-DA_2W-DP2A_5W (inactive) 179 1939354 MB;;;SLP-MEDIUM-DD_2W-DP2D_1M (active) 3274 37605665 MB;;;SLP-MEDIUM-DE_2W-DP2E_1M (active) 990 90378841 MB;;;SLP-MEDIUM-DA_2W-DP1A_1M (active) 816 20788679 MB;;;SLP-MEDIUM-DA_2W-DP1A_5W (inactive) 56 168606 MB;;;SLP-MEDIUM-DD_2W-DP1D_1M (active) 2503 12663760 MB;;;SLP-MEDIUM-DE_2W-DP1E_1M (active) 816 87799167 MB"
| makemv delim=";;;" data 
| mvexpand data
| rename COMMENT as "above generates sample data, below is your rex"
| rex field=data "(?<Name>[^\s]+)\s\((?<state>[^\)]+)\)\s(?<number_of_copies>[^\s]+)\s(?<size>[^\s]+)\s(?<size_unit>[^\s]+)"

screenshot:

hope it helps

How to extract filed from text File

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?

How to extract filed from text File

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions