- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract data via rest api
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
I have some sample data generated from
curl -k -u admin:password https://localhost:8089/services/search/jobs/export -d search="search index=tweets | multikv from_user start_time" -d earliest_time="-4h" -d latest_time="now" -d output_mode="xml"
How can i extract eg. the from_user and start_time from the _raw field so it gets a ordinary search result field in the search result ?
->
<result offset='1487'>
<field k='_bkt'>
<value><text>tweets~39~6909193E-A0BE-4EC0-8F2F-9E47CAE7DEF2</text></value>
</field>
<field k='_cd'>
<value><text>39:278787</text></value>
</field>
<field k='_indextime'>
<value><text>1383149603</text></value>
</field>
<field k='_raw'><v xml:space='preserve' trunc='0'>2013-10-30 17:13:23:443+0100 name="twitter-message" from_user="someuser" in_reply_to="null" start_time="Wed Oct 30 17:13:09 CET 2013" event_id="395584165271203840" text="I voted for Girls' Generation's "I Got a Boy" to win Video of the Year at the YouTube Music Awards. http://t.co/igD2gPOrYI #YTMAhgh" retweet_count="0"</v></field>
<field k='_serial'>
<value><text>1980</text></value>
</field>
<field k='_si'>
<value><text>mac.local</text></value>
<value><text>tweets</text></value>
</field>
<field k='_sourcetype'>
<value><text>twitter-feed</text></value>
</field>
<field k='_subsecond'>
<value><text>.443</text></value>
</field>
<field k='_time'>
<value><text>2013-10-30 17:13:23.443 CET</text></value>
</field>
<field k='host'>
<value><text>127.0.0.1</text></value>
</field>
<field k='index'>
<value h='1'><text>tweets</text></value>
</field>
<field k='linecount'>
<value><text>1</text></value>
</field>
<field k='source'>
<value><text>mysource</text></value>
</field>
<field k='sourcetype'>
<value><text>twitter-feed</text></value>
</field>
<field k='splunk_server'>
<value><text>mac.local</text></value>
</field>
</result>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
doh - I'll answer this my self. Quite simple just do:
curl -k -u admin:password https://localhost:8089/services/search/jobs/export -d search="search index=tweets | fields *" -d earliest_time="-4h" -d latest_time="now" -d output_mode="xml"
or a list of fields if you wanna have specific fields kvp's
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
doh - I'll answer this my self. Quite simple just do:
curl -k -u admin:password https://localhost:8089/services/search/jobs/export -d search="search index=tweets | fields *" -d earliest_time="-4h" -d latest_time="now" -d output_mode="xml"
or a list of fields if you wanna have specific fields kvp's
Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!
Catch Up Now >>
