Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Question on extract the fields from the lines following a particular string

prettysunshinez
Explorer
‎07-14-2021 06:49 AM

Hi,

I would like to extract the details that is present in the event followed by the event which the search string is present.Below is a sample data and the expected output.[7/14/21 3:00 CDT] 3 IDs are found for the type 234456 and for the subtype 12334^12344

[7/14/21 3:00 CDT] It is being sent to will@sons

[7/14/21 3:01 CDT] It is being sent to william@sons

[7/14/21 3:01 CDT] It is being sent to heather@sons

Expected Output

Type Subtype ID "No.of ID's"

234456 12334 will@sons 3

                   12344 william@sons

                                  heather@sons

Thanks in advance!

Labels (2)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-14-2021 09:43 AM

@prettysunshinez 

Can you please try this?

YOUR_SEARCH
| rex field=_raw "(?<NumberOfIDs>\d*) IDs are found for the type (?<Type>\d*) and for the subtype (?<SubType>.*)"
| rex field=_raw "sent to (?<emailId>.*)" | filldown Type SubType NumberOfIDs
| streamstats count by Type
| eval SubType=mvindex(split(SubType,"^"),count-2),Type=if(count=2,Type,null()), NumberOfIDs=if(count=2,NumberOfIDs,null()) | where count!=1
| table Type SubType emailId NumberOfIDs

My Sample Search :

| makeresults | eval raw="[7/14/21 3:00 CDT] 3 IDs are found for the type 234456 and for the subtype 12334^12344|[7/14/21 3:00 CDT] It is being sent to will@sons|[7/14/21 3:01 CDT] It is being sent to william@sons|[7/14/21 3:01 CDT] It is being sent to heather@sons|[7/14/21 3:02 CDT] 4 IDs are found for the type 234457 and for the subtype 12335^12345|[7/14/21 3:02 CDT] It is being sent to will3@sons|[7/14/21 3:03 CDT] It is being sent to william3@sons|[7/14/21 3:03 CDT] It is being sent to heather1@sons" 
| eval raw=split(raw,"|")| mvexpand raw | rename raw as _raw
|rename comment as "Upto Now is sample data only" 
| rex field=_raw "(?<NumberOfIDs>\d*) IDs are found for the type (?<Type>\d*) and for the subtype (?<SubType>.*)"
| rex field=_raw "sent to (?<emailId>.*)" | filldown Type SubType NumberOfIDs
| streamstats count by Type
| eval SubType=mvindex(split(SubType,"^"),count-2),Type=if(count=2,Type,null()), NumberOfIDs=if(count=2,NumberOfIDs,null()) | where count!=1
| table Type SubType emailId NumberOfIDs

 

Screenshot 2021-07-14 at 10.13.42 PM.png

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...