Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extract field from a complex multi-lines event...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
langlv
Engager
05-30-2016
07:58 PM
Hi pros,
I am new with Splunk and trying to analyze a complex log file from a financial application. I want to figure out the fields from a multilines event, here is my log example:
16.02.10 09:20:53 [ FromIso:123456789]************** INBOUND MESSAGE ID[AAABqgAwV0ujhQAA] ***************
in[ 48: ]<800>
in[ 48: ]<8220000100000000>
in[ 48: ]<0400000000000000>
msgno[ 0]<800>
Bitmap: [82200001000000000400000000000000]
in[ 7: ]<530>
in[ 7: ]<92833>
in[ 11: ]<694437>
in[ 32: ]<6>
in[ 32: ]<123123>
in[ 70: ]<2>
D-ISO-0306: m0800/a0000000000/t694437/p000000/r00
16.02.10 09:20:53 [ ToIso:123456789]************** OUTBOUND MESSAGE ID[AAABqgAwV0ujhQAA] ***************
msgno[ 0]<810>
Bitmap: [82200001020000000400000000000000]
out[ 48: ]<0810>
out[ 48: ]<8220000102000000>
out[ 48: ]<0400000000000000>
out[ 7: ]<0530>
out[ 7: ]<092833>
out[ 11: ]<694437>
out[ 32: ]<06>
out[ 32: ]<123123>
out[ 39: ]<00>
out[ 70: ]<002>
I want to extract the fields msgno=800/810 and field39="00" from the log above.
I tried to use Field Extractor to extract those fields but no luck.
Thanks,
Lang
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-31-2016
06:18 AM
At search time, like this:
... | rex max_match=99 "msgno\[\s*\d+\]<(?<msgno>\d+)>"
| rex max_match=99 "out\[\s*39:\s*\]<(?<field39>\d+)>"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
05-31-2016
06:18 AM
At search time, like this:
... | rex max_match=99 "msgno\[\s*\d+\]<(?<msgno>\d+)>"
| rex max_match=99 "out\[\s*39:\s*\]<(?<field39>\d+)>"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
langlv
Engager
05-31-2016
09:27 PM
It works like a charm.
Thanks Woodcock,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kristian_kolb
Ultra Champion
05-31-2016
02:50 AM
Probably the best way is to use EXTRACTs in props.conf with the following regexes;
msgno[^<]+(?<msgno>\d+)
\s39:\s\]\<(?<field39>\d+)
You should probably check the documentation regarding EXTRACT
http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Createandmaintainsearch-timefieldextract...
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf
Also, it may be worth checking out the rex command, which lets you perform regex-based field extractions as part of the search query. At least it is simpler for trying out new extraction patterns before committing them to a config file.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Rex
/k
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
