Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Question on extract the fields from the lines following a particular string

prettysunshinez
Explorer
‎07-14-2021 06:49 AM

Hi,

I would like to extract the details that is present in the event followed by the event which the search string is present.Below is a sample data and the expected output.[7/14/21 3:00 CDT] 3 IDs are found for the type 234456 and for the subtype 12334^12344

[7/14/21 3:00 CDT] It is being sent to will@sons

[7/14/21 3:01 CDT] It is being sent to william@sons

[7/14/21 3:01 CDT] It is being sent to heather@sons

Expected Output

Type Subtype ID "No.of ID's"

234456 12334 will@sons 3

                   12344 william@sons

                                  heather@sons

Thanks in advance!

Labels (2)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-14-2021 09:43 AM

@prettysunshinez 

Can you please try this?

YOUR_SEARCH
| rex field=_raw "(?<NumberOfIDs>\d*) IDs are found for the type (?<Type>\d*) and for the subtype (?<SubType>.*)"
| rex field=_raw "sent to (?<emailId>.*)" | filldown Type SubType NumberOfIDs
| streamstats count by Type
| eval SubType=mvindex(split(SubType,"^"),count-2),Type=if(count=2,Type,null()), NumberOfIDs=if(count=2,NumberOfIDs,null()) | where count!=1
| table Type SubType emailId NumberOfIDs

My Sample Search :

| makeresults | eval raw="[7/14/21 3:00 CDT] 3 IDs are found for the type 234456 and for the subtype 12334^12344|[7/14/21 3:00 CDT] It is being sent to will@sons|[7/14/21 3:01 CDT] It is being sent to william@sons|[7/14/21 3:01 CDT] It is being sent to heather@sons|[7/14/21 3:02 CDT] 4 IDs are found for the type 234457 and for the subtype 12335^12345|[7/14/21 3:02 CDT] It is being sent to will3@sons|[7/14/21 3:03 CDT] It is being sent to william3@sons|[7/14/21 3:03 CDT] It is being sent to heather1@sons" 
| eval raw=split(raw,"|")| mvexpand raw | rename raw as _raw
|rename comment as "Upto Now is sample data only" 
| rex field=_raw "(?<NumberOfIDs>\d*) IDs are found for the type (?<Type>\d*) and for the subtype (?<SubType>.*)"
| rex field=_raw "sent to (?<emailId>.*)" | filldown Type SubType NumberOfIDs
| streamstats count by Type
| eval SubType=mvindex(split(SubType,"^"),count-2),Type=if(count=2,Type,null()), NumberOfIDs=if(count=2,NumberOfIDs,null()) | where count!=1
| table Type SubType emailId NumberOfIDs

 

Screenshot 2021-07-14 at 10.13.42 PM.png

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Buttercup Games Tutorial Extension - part 9

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games Tutorial Extension - part 8

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Introducing the Splunk Developer Program!

Hey Splunk community! We are excited to announce that Splunk is launching the Splunk Developer Program in ...
Top