Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract a ";" delimited field in table
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nidd
Path Finder
07-12-2020
01:55 AM
My log sample looks like this:
testServiceName,testTransName,DEVTEST,,,3375598402,15,754,5,2020-07-11 18:41:31.982,2020-07-11 18:41:32.271,29,,,,2,48,248,,,,162,9426,2192,,,,,,,,,,,test,|TxnMessage=SUCCESS|ErrMessage=No Error|PlNumber=testPl|src=testSrc|SrcId=1234_src1;1234_src2|TxnId=txn-A688|ParentId=|TransactionType=,
I need to extract a few fields in my table. Eg: PlNumber, Src, SrcId
I'm trying like the below:
<mysearch> ... | rex "SrcId=(?<SrcId>.*)" | table PlNumber, Src, SrcId
On the results, the SrcId column is concatenated with the other tail columns, like:
--------------------------------------------------------------
| PlNumber | Src | SrcId |
--------------------------------------------------------------
| testPl | testSrc | 1234_src1;1234_src2|TxnId=txn- |
| A688|ParentId=|TransactionType=, |
--------------------------------------------------------------
What I need:
-------------------------------------------------
| PlNumber | Src | SrcId |
-------------------------------------------------
| testPl | testSrc | 1234_src1;1234_src2 |
-------------------------------------------------
I know that my Regex is missing something.
Kindly help achieving this.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
07-12-2020
02:04 AM
index=_internal |head 1 | fields _raw _time | eval _raw="testServiceName,testTransName,DEVTEST,,,3375598402,15,754,5,2020-07-11 18:41:31.982,2020-07-11 18:41:32.271,29,,,,2,48,248,,,,162,9426,2192,,,,,,,,,,,test,|TxnMessage=SUCCESS|ErrMessage=No Error|PlNumber=testPl|src=testSrc|SrcId=1234_src1;1234_src2|TxnId=txn-A688|ParentId=|TransactionType=,"
| extract pairdelim=",|" kvdelim="="
| table PlNumber, src, SrcIdtry extract
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
07-12-2020
02:04 AM
index=_internal |head 1 | fields _raw _time | eval _raw="testServiceName,testTransName,DEVTEST,,,3375598402,15,754,5,2020-07-11 18:41:31.982,2020-07-11 18:41:32.271,29,,,,2,48,248,,,,162,9426,2192,,,,,,,,,,,test,|TxnMessage=SUCCESS|ErrMessage=No Error|PlNumber=testPl|src=testSrc|SrcId=1234_src1;1234_src2|TxnId=txn-A688|ParentId=|TransactionType=,"
| extract pairdelim=",|" kvdelim="="
| table PlNumber, src, SrcIdtry extract
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nidd
Path Finder
07-12-2020
02:43 AM
That works ! Thank you very much !
Get Updates on the Splunk Community!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...
What’s New in Splunk Observability – September 2025
What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...
Fun with Regular Expression - multiples of nine
Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...
