I have a situation where I have a defined field that has a large amount of data but I am interested in only one part of that field Status : 2
Apologies as I am new to Splunk and I am lower than elementary level on this, but how would I extract this value from the field? If rex, how would I set this query?
= (garbage) Status : 2 (garbage)
@joshy50 ,
Try
"your search"
|rex field=<your fieldname> "(?<status>Status : \d+)"
What are possible values for status? Are they just digits?
A helpful way to approach this is to identify what characters are NOT going to be in your status. For example, if status can contain anything and is always followed by a semicolon, then you can construct a class that captures everything except a semicolon.
| rex "Status\s:\s(?<status>[^;]+);"
Sometimes this is easier than trying to predict all possible legal values, and can help in cases where something unexpected is found (developer says "only digits" but you find a pound sign and become a hero).
Hi,
I believe you want to extract the value of the status field (i.e status = 2 then you want to extract 2 as the value of the status field)
And then you would get an extracted field as "status" in the fields side bar.
To know more about the regex expressions you can practice it here ----> "https://regex101.com/"
@joshy50 ,
Try
"your search"
|rex field=<your fieldname> "(?<status>Status : \d+)"