Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Extract a Value from a Field

joshy50
New Member
‎01-30-2020 06:56 PM

I have a situation where I have a defined field that has a large amount of data but I am interested in only one part of that field Status : 2
Apologies as I am new to Splunk and I am lower than elementary level on this, but how would I extract this value from the field? If rex, how would I set this query?

= (garbage) Status : 2 (garbage)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-31-2020 01:43 AM

@joshy50 ,

Try

"your search" 
|rex field=<your fieldname> "(?<status>Status : \d+)"
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jpolvino
Builder
‎01-31-2020 06:09 AM

What are possible values for status? Are they just digits?

A helpful way to approach this is to identify what characters are NOT going to be in your status. For example, if status can contain anything and is always followed by a semicolon, then you can construct a class that captures everything except a semicolon.
| rex "Status\s:\s(?<status>[^;]+);"

Sometimes this is easier than trying to predict all possible legal values, and can help in cases where something unexpected is found (developer says "only digits" but you find a pound sign and become a hero).

0 Karma
Reply
Solved! Jump to solution

aditi25
New Member
‎01-31-2020 03:31 AM

Hi,

I believe you want to extract the value of the status field (i.e status = 2 then you want to extract 2 as the value of the status field)

  1. If you want to go for regex expression. your expression would look like ''Status'\W+(?\d+)'. Now that you have the regex expression. you can go to your splunk UI and there in the fields sidebar, scroll down you will see a '+' sign with "extract new fields">> click on it.
  2. You will see the option as "I prefer writing my own regular expression" click on that. And put the above specified regex expression there.
  3. preview your extracted field
  4. click save

And then you would get an extracted field as "status" in the fields side bar.

To know more about the regex expressions you can practice it here ----> "https://regex101.com/"

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-31-2020 01:43 AM

@joshy50 ,

Try

"your search" 
|rex field=<your fieldname> "(?<status>Status : \d+)"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...