Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field Extraction - Parsing - Regex

abhijitnayak
New Member
‎05-21-2012 10:51 PM

Hi Everyone,

I am trying to extract fields from the multivalued Field which has the following

http://pubads.g.doubleclick.net/gampad/ads?correlator=1329033559899&output=json_html&callback=GA_goo...

The parameters are usually separated by param="Value"

From the above text = GA_googleSetAdContentsBySlotForSync

Parameter = &callback
value = GA_googleSetAdContentsBySlotForSync

Parameter = &flash
value = 10.3.181.34

The text above is one field and this parameter extraction has to be done only to websites which are search engines ..

Is there a way to extract the field values even if it is not dynamic way of extraction?

0 Karma
Reply

abhijitnayak
New Member
‎05-27-2012 11:12 PM

GOT IT!!!
source="POC.txt" | regex Field2="google" | makemv delim="&" Field2

0 Karma
Reply

mikelanghorst
Motivator
‎05-22-2012 07:34 PM

Did you look at all the fields, not just those shown on the left? Click Edit, and in the pop-up window that field should already be extracted as "correlator".

Splunk should automatically extract a value any time it sees a key=value. How it determines what are "interesting fields" I'm not sure.

0 Karma
Reply

abhijitnayak
New Member
‎05-22-2012 10:01 PM

Hi Mike , I dont this its so easy .
We would have to parse and cut the words between &param1="WORD"&param2
Let me know if there is a way to do this.

0 Karma
Reply

abhijitnayak
New Member
‎05-22-2012 02:50 AM

Field2 that needs to be extracted is 1329033560.. can you please suggest the regex to derive this multi valued field?

0 Karma
Reply

abhijitnayak
New Member
‎05-22-2012 02:48 AM

I am new to splunk. Can you please tell how to achieve this? I am unable to find the search query using splunk

| eval Field2=substr(message, charindex(message, "&lmt="), charindex(message, "&dt="))

I have used some thing as above but charindex doesnt work.

here "message" is the Field which is been extracted during the data import.

0 Karma
Reply

Ayn
Legend
‎05-21-2012 11:25 PM

I don't understand what's not working and how you would like things to work. Could you state your problem more clearly please?

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...