Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field-Extraction

tmarlette
Motivator
‎07-10-2014 06:52 AM

I have a some data I am attempting to extract and then do lookups on. I am attempting to extract the FID number, which is effectivley - "FID":FID#:property = < value >

Take a look at my entry:

FID:1022:5=18749,109 FID:1025:5=18752,109 FID:1029:8=0:0:0 FID:1066:5=0,101 FID:1179:1=1 FID:2000:2=1 FID:3001:6=  FID:6335:6=US4592001014 FID:6360:6=2005973 FID:6605:1=1.01755e+013 FID:6630:1=8.26677e-005 FID:7012:6=459200101 FID:8107:1=0 FID:17476:2=0 FID:17483:2=-1 FID:20001:6=ADdomain FID:20003:6=domain1 FID:20008:6=user1 FID:20052:6=DEP01

I attempted to use this REGEX extraction, but splunk doesn't recognize it: FID:(?<FID>\d+):\d+

I'm guess that either RegEx changed, or splunk changed somehow and I missed it, or i'm fat fingering something?

Thank you!

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-10-2014 07:36 AM

This works for me (give a multivalued field will all FID#)

Your base search | rex max_match=0 "FID:(?<FID>\d+):\d+="

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-10-2014 07:36 AM

This works for me (give a multivalued field will all FID#)

Your base search | rex max_match=0 "FID:(?<FID>\d+):\d+="
Reply
Solved! Jump to solution

tmarlette
Motivator
‎07-10-2014 09:14 AM

Thank you!!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-10-2014 08:10 AM

Yes sir. See this link.
http://answers.splunk.com/answers/11777/field-extraction-into-multivalue-field

Reply
Solved! Jump to solution

tmarlette
Motivator
‎07-10-2014 07:47 AM

Thank you!!! This works very well! is there a way to do this in props.conf or transforms?

0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎07-10-2014 07:22 AM

Let's take the first part of the log entry:

FID:1022:5=18749

In this example, the number "1022" is what i'm looking to extract.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-10-2014 07:15 AM

So you want to get the values 1022, 1025, 1029, etc?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tmarlette
Motivator
‎07-10-2014 07:12 AM

This is a snippet of one log entry, and I would need to extract ALL FID#'s from all log entries.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-10-2014 07:08 AM

This is one log entry or 4? In both case, you need to extract all FID#?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...