Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Extract variable between pipe symbol from log and use it for query

krishman23
Explorer
‎10-12-2020 01:31 PM

I have a log generated in splunk which will have unique id  in with pipe symbols:

ex:

 

 

 

 

19:46:47.146 - [http-nio-8000-exec-9] INFO edu.test.controller |{My Var1}|{My Var2}|{myVar3}| - {log message}.

 

 

 

 

I need to perform a query based on {My Var1}.

Also need to list (dedup) all logs best on {My Var1}.

Labels (3)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-12-2020 02:08 PM 
| rex "\|(?<Var1>[^\|]+)\|(?<Var2>[^\|]+)\|(?<Var3>[^\|]+)\|\s\-\s(?<logmessage>.*)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

krishman23
Explorer
‎10-23-2020 08:14 AM

@ITWhisperer: i additional case in this rex, some time my logmessage will have URL as 

Req URL : hello/test/content

 or Req URL : hello/test/content/ , i need to truncate / of second request. Can you help with this ?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-23-2020 08:35 AM 
| rex field=events mode=sed "s/(?<url>[^\/]+\/[^\/]+\/[^\/]+)(?<slash>\/*)/\1/g"
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-12-2020 02:08 PM 
| rex "\|(?<Var1>[^\|]+)\|(?<Var2>[^\|]+)\|(?<Var3>[^\|]+)\|\s\-\s(?<logmessage>.*)"
0 Karma
Reply
Solved! Jump to solution

krishman23
Explorer
‎10-12-2020 03:12 PM

my bad , got it what you are saying.,

As second part of my question how can we user Var1 as variable for next search?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-13-2020 12:02 AM

Depends on what you want to get out of your data

| dedup Var1
| where Var2="xyz"
| stats count by Var3
0 Karma
Reply
Solved! Jump to solution

krishman23
Explorer
‎10-12-2020 02:28 PM

but var1,var2,var3  are unknown to me, those are variables in log

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-12-2020 02:41 PM

The rex extracts the value between the first two pipes into a field called Var1, the value between the second and third pipes into a field called Var2, etc. You can then use these fields in your query or just display them in as columns in a table. Is this not what you want to do?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...