Solved: field extraction for the complex data

Supriya · ‎10-04-2021

Hi Team,

Could someone help me with the field extraction for the below complex data(1000 lines of data I concised to 10 lines of data ) :

columns to be extracted are statement_text , cnt, total_reads, total_writes, db_name

statement_text="SELECT ISNULL("Interface Entry Header"."timestamp",@3) AS "timestamp",ISNULL("Interface Entry Header"."ImageURL",@8) AS "ImageURL",ISNULL("Interface Entry Header"."Pick Date Time",@7) AS "Pick Date Time",ISNULL("Interface Entry Header"."Start Execution",@7) AS "Start Execution",ISNULL("Interface Entry Header"."End Execution",@7) AS "End Execution",ISNULL("Interface Entry Header"."Send Request",@7) AS "Send Request",ISNULL("Maximo Issue Type$Interface Entry Line"."Header Entry No_",@4) AS "Maximo Issue Type$Interface Entry Line$Header Entry No_",ISNULL("Maximo Issue Type$Interface Entry Line"."Entry No_",@4) AS "Maximo Issue Type$Interface Entry Line$Entry No_" FROM "Algeria".dbo."Tango$Interface Entry Line" AS "Maximo Issue Type$Interface Entry Line" WITH(READUNCOMMITTED) WHERE ("Maximo Issue Type$Interface Entry Line"."Header Entry No_"="Interface Entry Header"."Entry No_") ORDER BY "Maximo Issue Type$Interface Entry Line$Header Entry No_" ASC,"Maximo Issue Type$Interface Entry Line$Entry No_" ASC) AS "SUB$Maximo Issue Type" WHERE ("Interface Entry Header"."Interface Code"=@0 AND "Interface Entry Header"."Direction"=@1 AND "Interface Entry Header"."Status"=@2) ORDER BY "Source No_" ASC,"Entry No_" ASC OPTION(OPTIMIZE FOR UNKNOWN, FAST 50)", cnt="12", total_reads="31",
total_writes="0", db_name="test"

I couldn't able to extract the statement_text column completely and the remaining columns are working fine

index="index" source="source1"| rex field=_raw "statement_text\=\"(?<statement_text>[@ ( ) $ . , \"A-Z ! ^ | \" - _ : { } A-Z a-z _ 0-9]+]+)\"" | rex field=_raw "cnt\=\"(?<cnt>[0-9]+)\"" | rex field=_raw "diff_reads\=\"(?<diff_reads>[0-9]+)\""| rex field=_raw "total_writes\=\"(?<total_writes>[0-9]+)\"" | rex field=_raw "db_name\=\"(?<db_name>[A-Z a-z _ 0-9]+)\""

Please provide me rex for statement_text column where the data can be extracted till the 2nd column "cnt"

Supriya · ‎10-05-2021

Its working thank you!
could you please explain @ITWhisperer

View solution in original post

ITWhisperer · ‎10-04-2021

| rex "statement_text=\"(?<statement_text>.*)\",\s+cnt"

Supriya · ‎10-05-2021

Its working thank you!
could you please explain @ITWhisperer

ITWhisperer · ‎10-05-2021

statement_text=\"(?<statement_text>.*)\",\s+cnt

pre-anchor fieldname pattern post-anchor

That is, everything (.*) between statement_text=" and ", cnt is put into field named statement_text

Supriya · ‎10-05-2021

thank you for explaining and accepted your solution

Here one more issue I have is while downloading these results in CSV file, the column statement_text is splitting in different rows. could you help me with this issue @ITWhisperer

field extraction for the complex data

other

saved search

summary indexing

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI