Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Dev
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- extract part of a string from the fields
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthi25
Path Finder
12-29-2017
03:44 AM
I am having the comments field with the data below:
'ADP-ECS~FILEMANIFEST~20171228-221014~60.txt.gz and ADP-ECS~FILEMANIFEST~20171228-221014~60.txt.gz.doneTask Completed Successfully '
'Filename is SAP-ADP~DEVICEUSAGE~20171227-005707~4596654.txt.gz and Token Name is SAP-ADP~DEVICEUSAGE~20171227-005707~4596654.txt.gz.doneTask Failed '
'ADPT~ADPTWMFMDAILY~20171228-220124~0.txt.gz and ADPT~ADPTWMFMDAILY~20171228-220124~0.txt.gz.doneTask Completed Successfully '
Now I want to extract only the filename for eg: "ADP-ECS~FILEMANIFEST~20171228-221014~60.txt.gz" and status like below
filename status
--------------------------------------------------------------------------------------------------------------------------------------
ADP-ECS~FILEMANIFEST~20171228-221014~60.txt.gz Completed
SAP-ADP~DEVICEUSAGE~20171227-005707~4596654.txt.gz Failed
ADPT~ADPTWMFMDAILY~20171228-220124~0.txt.gz Completed
Kindly help me to do it.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Elsurion
Communicator
12-29-2017
06:23 AM
Ok it took a bit to create this regex for this comment.
| rex field=comment "'(Filename\sis\s)?(?<filename>\S+)\s+and\s+(Token\sName\sis\s)?(?<token>\S+)\s+((?<status>\S+)(\s\S+)?)"
This regex works on both types of comment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Elsurion
Communicator
12-29-2017
06:23 AM
Ok it took a bit to create this regex for this comment.
| rex field=comment "'(Filename\sis\s)?(?<filename>\S+)\s+and\s+(Token\sName\sis\s)?(?<token>\S+)\s+((?<status>\S+)(\s\S+)?)"
This regex works on both types of comment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
12-29-2017
05:28 AM
This regex seems to work with your sample data.
'(Filename is\s)?(?<filename>.+?\.gz).*Task(?<status>.*)'
In a search you could run
<your search>|rex field=comment "'(Filename is\s)?(?<filename>.+?\.gz).*Task(?<status>.*)'"|table filename status
If my comment helps, please give it a thumbs up!
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
