Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract fields with a regular expression

narabhut
Explorer
‎07-29-2013 07:48 AM

I have fields in the format of LOG_ID, DEVICE_DATA, USERNAME, that I'd like to extract, and I'd like to exclude the default Splunk fields like _time, *_raw, and timeendpos, timestartpos, etc. Is that possible to do through the regex command? Can I chain that with table somehow?

0 Karma
Reply

aholzer
Motivator
‎07-29-2013 12:05 PM

If you have "key=value" pairs, Splunk should be extracting them as a field by the name of "key" and the corresponding value "value".

You should be able to limit your searches by simply adding a the field = value as part of your search terms. (Example: "LOG_ID=12312")

If you are interested in displaying only certain fields in a table format, then piping into a table command and listing the fields you want is enough.

0 Karma
Reply

narabhut
Explorer
‎07-29-2013 08:24 AM

The data in the fields can contain anything, so I don't think I can do filtering based on that. An example would be LOG_ID=12312 DEVICE_DATA="random stuff" USERNAME="DAVIDTEST"

0 Karma
Reply

dglinder
Path Finder
‎07-29-2013 08:19 AM

Can you update the quesiton with a specific example of the line you're extracting this data from? What data is in the "LOG_ID", "DEVICE_DATA", and "USERNAME" fields (numbers only, spaces, etc)?

0 Karma
Reply

Ayn
Legend
‎07-29-2013 08:15 AM

No, the regex command is used for filtering search results based on a regular expression. The rex command is used for extracting fields out of events though. Including/excluding fields is done using the fields command.

Based on your question it sounds like you should take a tour of how Splunk works. Field extractions are covered here: http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime

And there's an excellent Splunk tutorial: http://docs.splunk.com/Documentation/Splunk/latest/Tutorial/WelcometotheSplunkTutorial

Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...