I am trying to extract fields from the multivalued Field which has the following
The parameters are usually separated by param="Value"
From the above text = GA_googleSetAdContentsBySlotForSync
Parameter = &callback
value = GA_googleSetAdContentsBySlotForSync
Parameter = &flash
value = 10.3.181.34
The text above is one field and this parameter extraction has to be done only to websites which are search engines ..
Is there a way to extract the field values even if it is not dynamic way of extraction?
I am new to splunk. Can you please tell how to achieve this? I am unable to find the search query using splunk
| eval Field2=substr(message, charindex(message, "&lmt="), charindex(message, "&dt="))
I have used some thing as above but charindex doesnt work.
here "message" is the Field which is been extracted during the data import.
Did you look at all the fields, not just those shown on the left? Click Edit, and in the pop-up window that field should already be extracted as "correlator".
Splunk should automatically extract a value any time it sees a key=value. How it determines what are "interesting fields" I'm not sure.
Hi Mike , I dont this its so easy .
We would have to parse and cut the words between ¶m1="WORD"¶m2
Let me know if there is a way to do this.