Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Pull out details by Rex

luckyman80
Path Finder
‎07-27-2021 08:10 AM

Hi Expert,

                     Quite new to Splunk . From the example log line below

03:23:05.056 [publish-1] INFO LoggingAuditor - [testout] TracingOutgoing: 8=FIX.4.29=90635=8115=ONMI=SOMEVENUE34=37249=BRX60256=testout 52=20210727-07:23:05.05

Is it possible to pull out in columns headers somehow ? 

LogType=LoggingAuditor

Destination=[testout]

Direction=TracingOutgoing

SendingTime=52=20210727-07:23:05.05 (just the time ) ?

Thanks so much ! 

Labels (1)
Labels
Tags (3)
0 Karma
Reply

luckyman80
Path Finder
‎07-27-2021 10:33 AM

worry what i mean is . I can see the words I need to rex out.. but how do i call the table columns something else like the original post 

 

LogType=LoggingAuditor

Destination=[testout]

Direction=TracingOutgoing

SendingTime=52=20210727-07:23:05.05 (just the time )

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-27-2021 11:05 AM

Once your fields are extracted you can call them anything you like using the rename command.

... | rename LogType as LoggingAuditor
---
If this reply helps you, Karma would be appreciated.
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-27-2021 10:10 AM

Yes, it's possible and very easy.  The rex command can extract text into fields for you.  Here's an example command that works with the sample event.  You'll need to modify it if I've made incorrect assumptions (like if INFO is not the only level).

| rex "INFO (?<LogType>\w+).*?\[(?<Destination>[^\]]+)] (?<Direction>\w+).*?52=(?<SendingTime>.*)"

You can test your changes at regex101.com

---
If this reply helps you, Karma would be appreciated.
Reply

luckyman80
Path Finder
‎07-27-2021 10:16 AM

Thanks how do I i see it with columns after ? I see the Rex took but this doesn't seem to work after 

rex "INFO (?<LogType>\w+).*?\[(?<Destination>[^\]]+)] (?<Direction>\w+).*?52=(?<SendingTime>.*)"|table LogType, Destination, Direction, SendingTime

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-27-2021 10:06 AM 
| rex "INFO (?<LogType>\S+)\s-\s(?<Destination>\[[^\]]+\])\s+(?<Direction>[^:]+):.*\-(?<SendingTime>.*)"
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...