Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field-Extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a some data I am attempting to extract and then do lookups on. I am attempting to extract the FID number, which is effectivley - "FID":FID#:property = < value >
Take a look at my entry:
FID:1022:5=18749,109 FID:1025:5=18752,109 FID:1029:8=0:0:0 FID:1066:5=0,101 FID:1179:1=1 FID:2000:2=1 FID:3001:6= FID:6335:6=US4592001014 FID:6360:6=2005973 FID:6605:1=1.01755e+013 FID:6630:1=8.26677e-005 FID:7012:6=459200101 FID:8107:1=0 FID:17476:2=0 FID:17483:2=-1 FID:20001:6=ADdomain FID:20003:6=domain1 FID:20008:6=user1 FID:20052:6=DEP01
I attempted to use this REGEX extraction, but splunk doesn't recognize it: FID:(?<FID>\d+):\d+
I'm guess that either RegEx changed, or splunk changed somehow and I missed it, or i'm fat fingering something?
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works for me (give a multivalued field will all FID#)
Your base search | rex max_match=0 "FID:(?<FID>\d+):\d+="
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This works for me (give a multivalued field will all FID#)
Your base search | rex max_match=0 "FID:(?<FID>\d+):\d+="
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes sir. See this link.
http://answers.splunk.com/answers/11777/field-extraction-into-multivalue-field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!!! This works very well! is there a way to do this in props.conf or transforms?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's take the first part of the log entry:
FID:1022:5=18749
In this example, the number "1022" is what i'm looking to extract.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So you want to get the values 1022, 1025, 1029, etc?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a snippet of one log entry, and I would need to extract ALL FID#'s from all log entries.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is one log entry or 4? In both case, you need to extract all FID#?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
