How to extract fields from raw event with rex?

iamsplunker · ‎11-28-2023

Hello Splunkers,

I wanted to extract output1 and output6 fields from raw event

Example Event1:

Message : output,1: The guess/tmp/var/tms/bmp_abcd/apm_salesforce/address_standardplot/serviceinput/AddressStandardiplot_S3_VariousDmsJob_V9_apm_unmatch_AVI-pct-STANDARD_123456789_9912333333-f12f-5cb9-aa10-9d101188ad47.banana.2 file, which contains 456 rows, was written to the standardplot-s3-abc-dev-005 bucket.

Example Event 2

Message : output,6: Input 0 consumed 123 records.

desired result

output1=456 rows
output6=123 records

Message field is also not auto extracted by Splunk. May need to use |rex field=_raw........

Please Advise

ITWhisperer · ‎11-28-2023

| rex "output,1.*?(?<output1>\d+\s+rows)"
| rex "output,6.*?(?<output6>\d+\s+records)"

How to extract fields from raw event with rex?

using Splunk Cloud

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Are you a member of the Splunk Community?

How to extract fields from raw event with rex?

using Splunk Cloud

AppDynamics Summer Webinars

SOCin’ it to you at Splunk University

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor