Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Extracting a string from the search result
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracting a string from the search result
zeewagon
Engager
11-03-2016
05:42 AM
INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:EXCEL
Above is my search result, and I wanna extract the word 'Start' alone. Like using 'awk' in bash. How do I do this in splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
11-04-2016
08:32 AM
Since you wanted to work it like awk and looking at your new data:
- Your word when separated by spaces comes at
awk '{print $6}', so use the fieldindex6after applying the rex as below to get that:your base query| rex "^(?<index1>[\S]+)\s(?<index2>[\S]+)\s(?<index3>[\S]+)\s(?<index4>[\S]+)\s(?<index5>[\S]+)\s(?<index6>[\S]+)\s(?<index7>[\S]+)\s(?<index8>[\S]+)\s(?<index9>[\S]+)\s(?<index10>[\S]+)\s(?<index11>[\S]+)\s(?<index12>[\S]+)\s(?<index13>[\S]+)"|stats count by index6See here
OR
- Your word when separated by
":"comes as the first word ofawk -F":" '{print $4}'which needs another pipe ofawk '{print $1}'since "Start" is the first word of 4th index, hence find that piece asindex4below after applying rex:...| rex "^(?<index1>[^\:]+)\:(?<index2>[^\:]+)\:(?<index3>[^\:]+)\:\s(?<index4>[\S]+)\s(?<index5>[^\:]+)\:(?<index6>[^\:]+)\:(?<index7>[^\:]+)\:(?<index8>[^\:]+)\:\s*(?<index9>[^\s]+)"| stats count by index4See here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
11-04-2016
06:22 AM
Try this.
... | rex "INFO\s:\s(?<action>[^\s]+)" | ...
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zeewagon
Engager
11-04-2016
06:30 AM
It is not working. I want only 'Start' to be displayed in the below line
2016-11-04 06:32:50,120 [http-bio-8443-exec-10862] INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:HTML, Locale: en_US
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
11-04-2016
01:24 PM
On regex101.com, that rex command puts "Start" into the 'action' field.
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-03-2016
07:26 AM
How about this (extracting as field Action)
your base search | rex "^\w+\s*:\s*(?<Action>\w+)"
Updated per latest sample data
your base search | rex "^(\S+\s){4}:\s(?<Action>\w+)"
Sample event
2016-11-04 06:32:50,120 [http-bio-8443-exec-10862] INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:HTML, Locale: en_US
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zeewagon
Engager
11-03-2016
10:17 PM
But it is not displaying the string 'Start' alone. It displays the whole result 😞 I want it to display only 'Start'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
11-03-2016
10:27 PM
I think what @somesoni2 has as regex will capture what u need in "Action" field. Can u see here that his regex works the way you want it, unless ur data is something else than the one u posted in question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zeewagon
Engager
11-03-2016
11:30 PM
Okay.
Here is the correct data.
2016-11-04 06:32:50,120 [http-bio-8443-exec-10862] INFO : Start Outputing Report: Project ID:c_exactworld_17121, Format:HTML, Locale: en_US
I want the only 'Start' string to be displayed in the results. How could we do that @gokadroid @somesoni2 ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
richgalloway
SplunkTrust
11-03-2016
07:11 AM
What is your current search? Do you want just "Start" or any word (like "Done") in that position?
For the latter, try
... | rex ":\s+(?<start>\w+)" | ...
---
If this reply helps you, Karma would be appreciated.
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
