Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract fields out of plain text log file and assign it to a field name

Sujithkumarkb
Observer
‎12-18-2019 02:48 AM

I want to extract the below values during index time
1. extract WDDZF4KB3JA469368 ,ABCDE4KB3JA469368 and so on and assign it to a field name called VINnumber.
2. extract ConfigureServiceStatusMBIISProvABCSImpl, QuerySubscriptionListSiebelProvABCSImpl ,VINValidationProcess and so on and assign it to field name called services.

ist item2019-12-17T19:35:20.571-05:00|ConfigureServiceStatusMBIISProvABCSImpl|MBIIS|2837822832|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|SUCCESS|VIN-WDDZF4KB3JA469368|

2019-12-17T19:35:20.571-05:00|ConfigureServiceStatusMBIISProvABCSImpl|MBIIS|2837822832|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|SUCCESS|VIN-ABCDE4KB3JA469368|

2019-12-17T19:35:18.076-05:00|QuerySubscriptionListSiebelProvABCSImpl|SIEBEL|2837822838|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|FAILED|VIN-WDDZF4KB3JA469368|AccId-NoValueFound|Business Fault:Agree# Missing

2019-12-17T19:35:18.587-05:00|VINValidationProcess|SIEBEL|2837822846|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|SUCCESS|VIN-WDDZF4KB3JA469368|

2019-12-17T19:35:18.076-05:00|QuerySubscriptionListSiebelProvABCSImpl|SIEBEL|2837822838|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|FAILED|VIN-WDDZF4KB3JA469368*|AccId-NoValueFound|Business Fault:Agree# Missing*

I understand search time extraction is better for performance .
I tried to extract during search time like below with a bit of luck , but data is 

index=ABC sourcetype=XYZ  WDDZF4KB3JA469368 
| rex field=_raw "(?WDDZF4KB3JA469368.+)\""

but the value i am getting in the field is quite extra VIN= WDDZF4KB3JA469368,,,Cathy,"Wright",,"6278 Harbour Heights Pkwy

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-18-2019 06:35 AM 
| makeresults 
| eval raw="2019-12-17T19:35:20.571-05:00|ConfigureServiceStatusMBIISProvABCSImpl|MBIIS|2837822832|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|SUCCESS|VIN-WDDZF4KB3JA469368|@2019-12-17T19:35:20.571-05:00|ConfigureServiceStatusMBIISProvABCSImpl|MBIIS|2837822832|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|SUCCESS|VIN-ABCDE4KB3JA469368|@2019-12-17T19:35:18.076-05:00|QuerySubscriptionListSiebelProvABCSImpl|SIEBEL|2837822838|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|FAILED|VIN-WDDZF4KB3JA469368|AccId-NoValueFound|Business Fault:Agree# Missing@2019-12-17T19:35:18.587-05:00|VINValidationProcess|SIEBEL|2837822846|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|SUCCESS|VIN-WDDZF4KB3JA469368|@2019-12-17T19:35:18.076-05:00|QuerySubscriptionListSiebelProvABCSImpl|SIEBEL|2837822838|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|FAILED|VIN-WDDZF4KB3JA469368|AccId-NoValueFound|Business Fault:Agree# Missing"
| makemv delim="@" raw
| mvexpand raw
| rex field=raw "(?<_time>[^\|]+)\|(?<services>[^\|]+)\|[^\|]+\|[^\|]+\|[^\|]+\|(?<result>[^\|]+)\|(?<VINnumber>[^\|]+)\|"
| table _time raw services VINnumber result

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎12-18-2019 06:35 AM 
| makeresults 
| eval raw="2019-12-17T19:35:20.571-05:00|ConfigureServiceStatusMBIISProvABCSImpl|MBIIS|2837822832|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|SUCCESS|VIN-WDDZF4KB3JA469368|@2019-12-17T19:35:20.571-05:00|ConfigureServiceStatusMBIISProvABCSImpl|MBIIS|2837822832|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|SUCCESS|VIN-ABCDE4KB3JA469368|@2019-12-17T19:35:18.076-05:00|QuerySubscriptionListSiebelProvABCSImpl|SIEBEL|2837822838|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|FAILED|VIN-WDDZF4KB3JA469368|AccId-NoValueFound|Business Fault:Agree# Missing@2019-12-17T19:35:18.587-05:00|VINValidationProcess|SIEBEL|2837822846|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|SUCCESS|VIN-WDDZF4KB3JA469368|@2019-12-17T19:35:18.076-05:00|QuerySubscriptionListSiebelProvABCSImpl|SIEBEL|2837822838|0396771d-0879-4246-b9e9-e31328260eb3-04d362c7|FAILED|VIN-WDDZF4KB3JA469368|AccId-NoValueFound|Business Fault:Agree# Missing"
| makemv delim="@" raw
| mvexpand raw
| rex field=raw "(?<_time>[^\|]+)\|(?<services>[^\|]+)\|[^\|]+\|[^\|]+\|[^\|]+\|(?<result>[^\|]+)\|(?<VINnumber>[^\|]+)\|"
| table _time raw services VINnumber result
0 Karma
Reply
Solved! Jump to solution

Sujithkumarkb
Observer
‎12-19-2019 02:06 AM

@to4kawa , thanks .
But , What if i want to extract fields during index time ?

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-19-2019 03:24 AM 
your search
|eval index_time=strftime(_indextime,"%F %T")
|table _time index_time services VINnumber result
0 Karma
Reply
Solved! Jump to solution

Sujithkumarkb
Observer
‎12-19-2019 03:33 AM

@to4kawa , sorry may be i was not clear.
I meant using Props , how can i extract these fields using regex , because i do not see a pattern for the fields i want to extract.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎12-19-2019 04:08 AM

I'm sorry , I don't know props.conf
If you provide new Question of props.conf with this sample data, another professional will solve it.

0 Karma
Reply
Get Updates on the Splunk Community!

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...