Splunk Search

Extract field from another dynamic field

thenormalone
Path Finder

I have a field from the search query called source which has a pattern of "text:text:text:dynamicText:dynamicText:dynamicText"

where text->hardcoded values and dynamicText->keeps changing for different logs.

 

I want to extract the 2nd dynamic text as its own field and then perform a stats count on that field. 

I'm not able to figure out how to navigate over the 1st dynamic field using regular expressions

Labels (3)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You can use rex to extract the second dynamicText and then use the stats command to count them.

index=foo
| rex "(?:[^:]+:){4}(?<dynamicText2>[^:]+)"
| stats count by dynamicText2
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

You can use rex to extract the second dynamicText and then use the stats command to count them.

index=foo
| rex "(?:[^:]+:){4}(?<dynamicText2>[^:]+)"
| stats count by dynamicText2
---
If this reply helps you, Karma would be appreciated.

thenormalone
Path Finder

@richgalloway  so this is a result from one of the indexers from which I extract this dynamic field while another indexer already has the field in its search. So how do I go about combining them?

I tried renaming the dynamic field (eg: "source") which I extract from the 1st indexer with the same name as the field from the search result of the other indexer (also named "source") but when I do "| stats count source", it shows up as two different results even though the name of the source is the same. 

0 Karma

thenormalone
Path Finder

there was a typo in my search, it did combine the results

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...