Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract a ";" delimited field in table

Nidd
Path Finder
‎07-12-2020 01:55 AM

My log sample looks like this:

 

testServiceName,testTransName,DEVTEST,,,3375598402,15,754,5,2020-07-11 18:41:31.982,2020-07-11 18:41:32.271,29,,,,2,48,248,,,,162,9426,2192,,,,,,,,,,,test,|TxnMessage=SUCCESS|ErrMessage=No Error|PlNumber=testPl|src=testSrc|SrcId=1234_src1;1234_src2|TxnId=txn-A688|ParentId=|TransactionType=,

 

I need to extract a few fields in my table. Eg: PlNumber, Src, SrcId

I'm trying like the below:

 

<mysearch> ... | rex "SrcId=(?<SrcId>.*)" | table PlNumber, Src, SrcId

 

 

On the results, the SrcId column is concatenated with the other tail columns, like:

 

--------------------------------------------------------------
|   PlNumber   |   Src   |               SrcId               |
--------------------------------------------------------------
|    testPl    | testSrc | 1234_src1;1234_src2|TxnId=txn-    |
                         | A688|ParentId=|TransactionType=,  |
--------------------------------------------------------------

 

 

What I need:

 

-------------------------------------------------
|   PlNumber   |   Src   |        SrcId         |
-------------------------------------------------
|    testPl    | testSrc | 1234_src1;1234_src2  |
-------------------------------------------------

 

 

I know that my Regex is missing something. 

Kindly help achieving this.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-12-2020 02:04 AM 
index=_internal |head 1 | fields _raw _time | eval _raw="testServiceName,testTransName,DEVTEST,,,3375598402,15,754,5,2020-07-11 18:41:31.982,2020-07-11 18:41:32.271,29,,,,2,48,248,,,,162,9426,2192,,,,,,,,,,,test,|TxnMessage=SUCCESS|ErrMessage=No Error|PlNumber=testPl|src=testSrc|SrcId=1234_src1;1234_src2|TxnId=txn-A688|ParentId=|TransactionType=,"
| extract pairdelim=",|" kvdelim="="
| table PlNumber, src, SrcId

try extract

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎07-12-2020 02:04 AM 
index=_internal |head 1 | fields _raw _time | eval _raw="testServiceName,testTransName,DEVTEST,,,3375598402,15,754,5,2020-07-11 18:41:31.982,2020-07-11 18:41:32.271,29,,,,2,48,248,,,,162,9426,2192,,,,,,,,,,,test,|TxnMessage=SUCCESS|ErrMessage=No Error|PlNumber=testPl|src=testSrc|SrcId=1234_src1;1234_src2|TxnId=txn-A688|ParentId=|TransactionType=,"
| extract pairdelim=",|" kvdelim="="
| table PlNumber, src, SrcId

try extract

Reply
Solved! Jump to solution

Nidd
Path Finder
‎07-12-2020 02:43 AM

That works ! Thank you very much !

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...