Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can't extract fields and make list?

Renunaren
Loves-to-Learn Everything
‎06-28-2023 07:03 AM

Hi Team,

Please help us on the below issue. Below is the sample event.

 

message: Dataframe row : {"_c0":{"0":"{","1":"    \"compaction_table\": [","2":"        \"md_proc_control_v2\"","3":"        \"md_source_control\"","4":"    ]","5":"    \"Timestamp\": \"2023\/06\/26 12:05:43\"","6":"    \"compaction_status\": \"Successful\"","7":"}"}}

 

In the above message, we have an event with the compaction_table, timestamp and compaction_status. We have tried to extract the files for compaction table such as md_proc_control_v2, md_source_control  as a separate field by name List using the below SPL query.

index="app_events_dwh2_de_int" _raw=*compac* | rex "(?:\"compaction_table[\\\\]+\": \[)(?<compactionlist>[^\s:]+[^\]]+)"
| rex field=compactionlist max_match=0 "(?:[^\s:]+[^\s]+\s[\\\\]+)(?<List>[^\\\]+)

But we are unable to extract those files using the above SPL query. We have extracted the compactionlist field like below.

Renunaren_0-1687960576911.png

But we are unable to extract the List from the field compactionlist.

We request you to kindly help us in extraction of the files md_proc_control_v2, md_source_control as separate field by name List and also the compaction status as a separate field and also the Timestamp as a separate field from the event. Below is the sample raw text for this.

 

Dataframe row : {"_c0":{"0":"{","1":"    \"compaction_table\": [","2":"        \"md_proc_control_v2\"","3":"        \"md_source_control\"","4":"    ]","5":"    \"Timestamp\": \"2023\/06\/26 12:05:43\"","6":"    \"compaction_status\": \"Successful\"","7":"}"}}

 

 

0 Karma
Reply

splunkjas1
Path Finder
‎06-28-2023 09:47 AM

Woah, that data is wonky. I'd probably do something like this:

| makeresults
| eval _raw="message: Dataframe row : {\"_c0\":{\"0\":\"{\",\"1\":\" \\\"compaction_table\\\": [\",\"2\":\" \\\"md_proc_control_v2\\\"\",\"3\":\" \\\"md_source_control\\\"\",\"4\":\" ]\",\"5\":\" \\\"Timestamp\\\": \\\"2023\/06\/26 12:05:43\\\"\",\"6\":\" \\\"compaction_status\\\": \\\"Successful\\\"\",\"7\":\"}\"}}"
| rex field=_raw mode=sed "s/\s|{|}|\"|\\\//g"
| eval parts=split(_raw, ",")
| fields parts

That gives me something a bit more sane to deal with:

2023-06-28_11-44-43.png 

I could deal with that then. Just trying to help you get there. 🙂

0 Karma
Reply

Renunaren
Loves-to-Learn Everything
‎06-28-2023 10:10 PM

We already tried this but this doesn't worked, is there any other way to extract them as a separate fields.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...