Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extract data via rest api
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have some sample data generated from
curl -k -u admin:password https://localhost:8089/services/search/jobs/export -d search="search index=tweets | multikv from_user start_time" -d earliest_time="-4h" -d latest_time="now" -d output_mode="xml"
How can i extract eg. the from_user and start_time from the _raw field so it gets a ordinary search result field in the search result ?
->
<result offset='1487'>
<field k='_bkt'>
<value><text>tweets~39~6909193E-A0BE-4EC0-8F2F-9E47CAE7DEF2</text></value>
</field>
<field k='_cd'>
<value><text>39:278787</text></value>
</field>
<field k='_indextime'>
<value><text>1383149603</text></value>
</field>
<field k='_raw'><v xml:space='preserve' trunc='0'>2013-10-30 17:13:23:443+0100 name="twitter-message" from_user="someuser" in_reply_to="null" start_time="Wed Oct 30 17:13:09 CET 2013" event_id="395584165271203840" text="I voted for Girls' Generation's "I Got a Boy" to win Video of the Year at the YouTube Music Awards. http://t.co/igD2gPOrYI #YTMAhgh" retweet_count="0"</v></field>
<field k='_serial'>
<value><text>1980</text></value>
</field>
<field k='_si'>
<value><text>mac.local</text></value>
<value><text>tweets</text></value>
</field>
<field k='_sourcetype'>
<value><text>twitter-feed</text></value>
</field>
<field k='_subsecond'>
<value><text>.443</text></value>
</field>
<field k='_time'>
<value><text>2013-10-30 17:13:23.443 CET</text></value>
</field>
<field k='host'>
<value><text>127.0.0.1</text></value>
</field>
<field k='index'>
<value h='1'><text>tweets</text></value>
</field>
<field k='linecount'>
<value><text>1</text></value>
</field>
<field k='source'>
<value><text>mysource</text></value>
</field>
<field k='sourcetype'>
<value><text>twitter-feed</text></value>
</field>
<field k='splunk_server'>
<value><text>mac.local</text></value>
</field>
</result>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
doh - I'll answer this my self. Quite simple just do:
curl -k -u admin:password https://localhost:8089/services/search/jobs/export -d search="search index=tweets | fields *" -d earliest_time="-4h" -d latest_time="now" -d output_mode="xml"
or a list of fields if you wanna have specific fields kvp's
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
doh - I'll answer this my self. Quite simple just do:
curl -k -u admin:password https://localhost:8089/services/search/jobs/export -d search="search index=tweets | fields *" -d earliest_time="-4h" -d latest_time="now" -d output_mode="xml"
or a list of fields if you wanna have specific fields kvp's
App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community
Operationalizing Entity Risk Score with Enterprise Security 8.3+
Unlock Database Monitoring with Splunk Observability Cloud
