Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract a ";" delimited field in table
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nidd
Path Finder
07-12-2020
01:55 AM
My log sample looks like this:
testServiceName,testTransName,DEVTEST,,,3375598402,15,754,5,2020-07-11 18:41:31.982,2020-07-11 18:41:32.271,29,,,,2,48,248,,,,162,9426,2192,,,,,,,,,,,test,|TxnMessage=SUCCESS|ErrMessage=No Error|PlNumber=testPl|src=testSrc|SrcId=1234_src1;1234_src2|TxnId=txn-A688|ParentId=|TransactionType=,
I need to extract a few fields in my table. Eg: PlNumber, Src, SrcId
I'm trying like the below:
<mysearch> ... | rex "SrcId=(?<SrcId>.*)" | table PlNumber, Src, SrcId
On the results, the SrcId column is concatenated with the other tail columns, like:
--------------------------------------------------------------
| PlNumber | Src | SrcId |
--------------------------------------------------------------
| testPl | testSrc | 1234_src1;1234_src2|TxnId=txn- |
| A688|ParentId=|TransactionType=, |
--------------------------------------------------------------
What I need:
-------------------------------------------------
| PlNumber | Src | SrcId |
-------------------------------------------------
| testPl | testSrc | 1234_src1;1234_src2 |
-------------------------------------------------
I know that my Regex is missing something.
Kindly help achieving this.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
07-12-2020
02:04 AM
index=_internal |head 1 | fields _raw _time | eval _raw="testServiceName,testTransName,DEVTEST,,,3375598402,15,754,5,2020-07-11 18:41:31.982,2020-07-11 18:41:32.271,29,,,,2,48,248,,,,162,9426,2192,,,,,,,,,,,test,|TxnMessage=SUCCESS|ErrMessage=No Error|PlNumber=testPl|src=testSrc|SrcId=1234_src1;1234_src2|TxnId=txn-A688|ParentId=|TransactionType=,"
| extract pairdelim=",|" kvdelim="="
| table PlNumber, src, SrcIdtry extract
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
07-12-2020
02:04 AM
index=_internal |head 1 | fields _raw _time | eval _raw="testServiceName,testTransName,DEVTEST,,,3375598402,15,754,5,2020-07-11 18:41:31.982,2020-07-11 18:41:32.271,29,,,,2,48,248,,,,162,9426,2192,,,,,,,,,,,test,|TxnMessage=SUCCESS|ErrMessage=No Error|PlNumber=testPl|src=testSrc|SrcId=1234_src1;1234_src2|TxnId=txn-A688|ParentId=|TransactionType=,"
| extract pairdelim=",|" kvdelim="="
| table PlNumber, src, SrcIdtry extract
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nidd
Path Finder
07-12-2020
02:43 AM
That works ! Thank you very much !
Get Updates on the Splunk Community!
Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA
Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...
.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...
If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...
A Season of Skills: New Splunk Courses to Light Up Your Learning Journey
There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...
