Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract fields with a regular expression

narabhut
Explorer
‎07-29-2013 07:48 AM

I have fields in the format of LOG_ID, DEVICE_DATA, USERNAME, that I'd like to extract, and I'd like to exclude the default Splunk fields like _time, *_raw, and timeendpos, timestartpos, etc. Is that possible to do through the regex command? Can I chain that with table somehow?

0 Karma
Reply

aholzer
Motivator
‎07-29-2013 12:05 PM

If you have "key=value" pairs, Splunk should be extracting them as a field by the name of "key" and the corresponding value "value".

You should be able to limit your searches by simply adding a the field = value as part of your search terms. (Example: "LOG_ID=12312")

If you are interested in displaying only certain fields in a table format, then piping into a table command and listing the fields you want is enough.

0 Karma
Reply

narabhut
Explorer
‎07-29-2013 08:24 AM

The data in the fields can contain anything, so I don't think I can do filtering based on that. An example would be LOG_ID=12312 DEVICE_DATA="random stuff" USERNAME="DAVIDTEST"

0 Karma
Reply

dglinder
Path Finder
‎07-29-2013 08:19 AM

Can you update the quesiton with a specific example of the line you're extracting this data from? What data is in the "LOG_ID", "DEVICE_DATA", and "USERNAME" fields (numbers only, spaces, etc)?

0 Karma
Reply

Ayn
Legend
‎07-29-2013 08:15 AM

No, the regex command is used for filtering search results based on a regular expression. The rex command is used for extracting fields out of events though. Including/excluding fields is done using the fields command.

Based on your question it sounds like you should take a tour of how Splunk works. Field extractions are covered here: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime

And there's an excellent Splunk tutorial: http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...