Splunk Search

Extract fields with a regular expression

narabhut
Explorer

I have fields in the format of LOG_ID, DEVICE_DATA, USERNAME, that I'd like to extract, and I'd like to exclude the default Splunk fields like _time, *_raw, and timeendpos, timestartpos, etc. Is that possible to do through the regex command? Can I chain that with table somehow?

0 Karma

aholzer
Motivator

If you have "key=value" pairs, Splunk should be extracting them as a field by the name of "key" and the corresponding value "value".

You should be able to limit your searches by simply adding a the field = value as part of your search terms. (Example: "LOG_ID=12312")

If you are interested in displaying only certain fields in a table format, then piping into a table command and listing the fields you want is enough.

0 Karma

narabhut
Explorer

The data in the fields can contain anything, so I don't think I can do filtering based on that. An example would be LOG_ID=12312 DEVICE_DATA="random stuff" USERNAME="DAVIDTEST"

0 Karma

dglinder
Path Finder

Can you update the quesiton with a specific example of the line you're extracting this data from? What data is in the "LOG_ID", "DEVICE_DATA", and "USERNAME" fields (numbers only, spaces, etc)?

0 Karma

Ayn
Legend

No, the regex command is used for filtering search results based on a regular expression. The rex command is used for extracting fields out of events though. Including/excluding fields is done using the fields command.

Based on your question it sounds like you should take a tour of how Splunk works. Field extractions are covered here: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime

And there's an excellent Splunk tutorial: http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...