Solved: Re: Extract variable between pipe symbol from log...

krishman23 · ‎10-12-2020

I have a log generated in splunk which will have unique id in with pipe symbols:

ex:

19:46:47.146 - [http-nio-8000-exec-9] INFO edu.test.controller |{My Var1}|{My Var2}|{myVar3}| - {log message}.

I need to perform a query based on {My Var1}.

Also need to list (dedup) all logs best on {My Var1}.

ITWhisperer · ‎10-12-2020

| rex "\|(?<Var1>[^\|]+)\|(?<Var2>[^\|]+)\|(?<Var3>[^\|]+)\|\s\-\s(?<logmessage>.*)"

View solution in original post

krishman23 · ‎10-23-2020

@ITWhisperer: i additional case in this rex, some time my logmessage will have URL as

Req URL : hello/test/content

or Req URL : hello/test/content/ , i need to truncate / of second request. Can you help with this ?

ITWhisperer · ‎10-23-2020

| rex field=events mode=sed "s/(?<url>[^\/]+\/[^\/]+\/[^\/]+)(?<slash>\/*)/\1/g"

ITWhisperer · ‎10-12-2020

| rex "\|(?<Var1>[^\|]+)\|(?<Var2>[^\|]+)\|(?<Var3>[^\|]+)\|\s\-\s(?<logmessage>.*)"

krishman23 · ‎10-12-2020

my bad , got it what you are saying.,

As second part of my question how can we user Var1 as variable for next search?

ITWhisperer · ‎10-13-2020

Depends on what you want to get out of your data

| dedup Var1
| where Var2="xyz"
| stats count by Var3

krishman23 · ‎10-12-2020

but var1,var2,var3 are unknown to me, those are variables in log

ITWhisperer · ‎10-12-2020

The rex extracts the value between the first two pipes into a field called Var1, the value between the second and third pipes into a field called Var2, etc. You can then use these fields in your query or just display them in as columns in a table. Is this not what you want to do?

Extract variable between pipe symbol from log and use it for query

eval

field extraction

subsearch

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms