Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract an value from logged sentence

j3r0n
Explorer
‎05-14-2020 06:56 AM

Hi,
I'm trying to make a Splunk panel display a value from a log that gets added to every 4 minutes.
I need to be able to see on the dashboard if the value suddenly drops.
I've tried extracting the value, but it keeps messing up.
Should I use regex, or do I need to extract it in a different way?
My goal is to only get the value after "value= " to return.

This is how the data looks when it's imported into Splunk, each new line is a single event:

2020-05-14T13:39:28.423Z, machine= wefqwr2312, value= 14
2020-05-14T13:40:29.003Z, machine= wefqwr2312, value= 14
2020-05-14T13:40:29.118Z, machine= wefqwr2312, value= 14
2020-05-14T13:41:28.316Z, machine= wefqwr2312, value= 14
2020-05-14T13:41:28.323Z, machine= wefqwr2312, value= 14
2020-05-14T13:45:48.032Z, machine= wefqwr2312, value= 14
2020-05-14T13:45:48.041Z, machine= wefqwr2312, value= 14

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎05-14-2020 07:07 AM

Add this to your SPL and replace FIELD_NAME with your actual field name. I'd recommend fixing the logging to remove that space after value so Splunk can create the key value pair automatically without manually extracting 

| rex value\=\s(?<FIELD_NAME>/d+)

View solution in original post

Reply
Solved! Jump to solution
Solution

skoelpin
SplunkTrust
SplunkTrust
‎05-14-2020 07:07 AM

Add this to your SPL and replace FIELD_NAME with your actual field name. I'd recommend fixing the logging to remove that space after value so Splunk can create the key value pair automatically without manually extracting 

| rex value\=\s(?<FIELD_NAME>/d+)
Reply
Solved! Jump to solution

j3r0n
Explorer
‎05-14-2020 07:28 AM

Thanks alot for your reply!
I've edited the logging now, without the space after value.
Do I need a different rex now? And the extracted field of which I put the name in the regex, only has to be the "16" instead of "value=16" right?

Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎05-14-2020 07:30 AM

Nothing further needed! Splunk will identify key value pairs automatically and extract them out for you. Splunk looks for common delimiters such as the : or = and identifies everything on the left side as the field and everything on the right side as the value. Keep it in the format of value=14

Once it has a little run time, go look at your fields on the left and find the field value to verify it extracts properly

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...