Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a specific data from log?

thangarun
Explorer
‎07-14-2022 11:53 PM

Dear All,

I am a rookie in Splunk and need your help to extract a fields from the log,

Example:

2022-07-15 14:30:43 , Oracle WebLogic Server is fully supported on Kubernetes , xsjhjediodjde,"approvalCode":"YES","totalCash":"85000","passenger":"A",dgegrgrg4t3g4t3g4t3g4t,rgrfwefiuascjcusc,

In this log i would like to have a extract as Cash and display the value in a tabular form as Date|Passenger|Amount 

Please suggest.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-15-2022 12:49 AM

Hi @thangarun,

update after your message:

| rex "\"totalCash\":\"(?<totalCash>\d+)\",\"passenger\":\"(?<passenger>[^\"]+)"

that you can test at https://regex101.com/r/KmAhE5/2

Supponing that that date and time you have is also the event timestamp, you could run something like this:

index=your_index
| rex "\"totalCash\":\"(?<totalCash>\d+)\",\"passenger\":\"(?<passenger>[^\"]+)"
| table _time passenger totalCash

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-15-2022 12:45 AM

Hi @thangarun,

as @ITWhisperer said, it isn't so clear what's the diferene (in your logs) between cash and amount.

Anyway, the regex to extract the totalCash is the following

| rex "\"totalCash\":\"(?<totalCash>\d+)"

that you can test at https://regex101.com/r/KmAhE5/1

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-15-2022 12:49 AM

Hi @thangarun,

update after your message:

| rex "\"totalCash\":\"(?<totalCash>\d+)\",\"passenger\":\"(?<passenger>[^\"]+)"

that you can test at https://regex101.com/r/KmAhE5/2

Supponing that that date and time you have is also the event timestamp, you could run something like this:

index=your_index
| rex "\"totalCash\":\"(?<totalCash>\d+)\",\"passenger\":\"(?<passenger>[^\"]+)"
| table _time passenger totalCash

Ciao.

Giuseppe

Reply
Solved! Jump to solution

thangarun
Explorer
‎07-15-2022 12:57 AM

Awesome....

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-15-2022 12:27 AM

You will need to be more specific

Assuming comma delimited, is the field you are interested in always the 5th field?

Does it always start with "totalCash"?

What would your expected output look like, e.g. does the Cash column always contain "totalCash"?

Do you already have some fields extracted when the events were ingested/indexed?

0 Karma
Reply
Solved! Jump to solution

thangarun
Explorer
‎07-15-2022 12:42 AM

 Hi @ITWhisperer  Sorry for that. No its not the exact 5th field(above is just sample) and expected output is something like this(possible)

DatePassengerCash
15/7/2022A85000

 

Thanks a lot for very quick response.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-15-2022 12:54 AM

Depending on your actual data (a single example doesn't really cut it unless it is 100% representative), you may need to deal with decimals

| rex "\"totalCash\":\"(?<totalCash>[\d\.]+)\",\"passenger\":\"(?<passenger>[^\"]+)"
0 Karma
Reply
Solved! Jump to solution

thangarun
Explorer
‎07-15-2022 12:57 AM

Thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...