Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a specific data from log?

thangarun
Explorer
‎07-14-2022 11:53 PM

Dear All,

I am a rookie in Splunk and need your help to extract a fields from the log,

Example:

2022-07-15 14:30:43 , Oracle WebLogic Server is fully supported on Kubernetes , xsjhjediodjde,"approvalCode":"YES","totalCash":"85000","passenger":"A",dgegrgrg4t3g4t3g4t3g4t,rgrfwefiuascjcusc,

In this log i would like to have a extract as Cash and display the value in a tabular form as Date|Passenger|Amount 

Please suggest.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-15-2022 12:49 AM

Hi @thangarun,

update after your message:

| rex "\"totalCash\":\"(?<totalCash>\d+)\",\"passenger\":\"(?<passenger>[^\"]+)"

that you can test at https://regex101.com/r/KmAhE5/2

Supponing that that date and time you have is also the event timestamp, you could run something like this:

index=your_index
| rex "\"totalCash\":\"(?<totalCash>\d+)\",\"passenger\":\"(?<passenger>[^\"]+)"
| table _time passenger totalCash

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-15-2022 12:45 AM

Hi @thangarun,

as @ITWhisperer said, it isn't so clear what's the diferene (in your logs) between cash and amount.

Anyway, the regex to extract the totalCash is the following

| rex "\"totalCash\":\"(?<totalCash>\d+)"

that you can test at https://regex101.com/r/KmAhE5/1

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎07-15-2022 12:49 AM

Hi @thangarun,

update after your message:

| rex "\"totalCash\":\"(?<totalCash>\d+)\",\"passenger\":\"(?<passenger>[^\"]+)"

that you can test at https://regex101.com/r/KmAhE5/2

Supponing that that date and time you have is also the event timestamp, you could run something like this:

index=your_index
| rex "\"totalCash\":\"(?<totalCash>\d+)\",\"passenger\":\"(?<passenger>[^\"]+)"
| table _time passenger totalCash

Ciao.

Giuseppe

Reply
Solved! Jump to solution

thangarun
Explorer
‎07-15-2022 12:57 AM

Awesome....

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-15-2022 12:27 AM

You will need to be more specific

Assuming comma delimited, is the field you are interested in always the 5th field?

Does it always start with "totalCash"?

What would your expected output look like, e.g. does the Cash column always contain "totalCash"?

Do you already have some fields extracted when the events were ingested/indexed?

0 Karma
Reply
Solved! Jump to solution

thangarun
Explorer
‎07-15-2022 12:42 AM

 Hi @ITWhisperer  Sorry for that. No its not the exact 5th field(above is just sample) and expected output is something like this(possible)

DatePassengerCash
15/7/2022A85000

 

Thanks a lot for very quick response.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-15-2022 12:54 AM

Depending on your actual data (a single example doesn't really cut it unless it is 100% representative), you may need to deal with decimals

| rex "\"totalCash\":\"(?<totalCash>[\d\.]+)\",\"passenger\":\"(?<passenger>[^\"]+)"
0 Karma
Reply
Solved! Jump to solution

thangarun
Explorer
‎07-15-2022 12:57 AM

Thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...